redline

General

Target

HXSoftware.zip
Size

12.0MB
Sample

240707-q2ebbatbmq
MD5

e2394cb6a06a1169645c367c9fda81e1
SHA1

c969a42a9953d0f3f04b29d26c500ac4f0f0dd9a
SHA256

4887920ef09966bfd09a3930b12912f64c22d52eb9c11f228581de1aab9e5dae
SHA512

409eb4126ff7339610ebcc4d6933f3ecb6b7d2d941d85f95bae9bd99749c4a7fb214c7ef4692ead79a960fe5e2389341b173bb201807dbdd20bfde261c365a6d
SSDEEP

196608:gtKdc26Dh9nqyg+b7IkYCUAIW9yWDGKJsq/6cyFNPkApKvX2VyCF:8KNSh9m+b7PYxAFy4GEHyrP06yI

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Targets

- Target
  
  HXSoftware.zip
- Size
  
  12.0MB
- MD5
  
  e2394cb6a06a1169645c367c9fda81e1
- SHA1
  
  c969a42a9953d0f3f04b29d26c500ac4f0f0dd9a
- SHA256
  
  4887920ef09966bfd09a3930b12912f64c22d52eb9c11f228581de1aab9e5dae
- SHA512
  
  409eb4126ff7339610ebcc4d6933f3ecb6b7d2d941d85f95bae9bd99749c4a7fb214c7ef4692ead79a960fe5e2389341b173bb201807dbdd20bfde261c365a6d
- SSDEEP
  
  196608:gtKdc26Dh9nqyg+b7IkYCUAIW9yWDGKJsq/6cyFNPkApKvX2VyCF:8KNSh9m+b7PYxAFy4GEHyrP06yI
Score

1^/10
behavioral1
- Target
  
  HXSoftware.exe
- Size
  
  7KB
- MD5
  
  b5e479d3926b22b59926050c29c4e761
- SHA1
  
  a456cc6993d12abe6c44f2d453d7ae5da2029e24
- SHA256
  
  fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
- SHA512
  
  09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
- SSDEEP
  
  192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Score

10^/10

redline rhadamanthys discovery execution infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral2
- Target
  
  hx64.dll
- Size
  
  1.3MB
- MD5
  
  4b8bb1d72dd7d6a3233bfbd7757aad8b
- SHA1
  
  518a11b90fc87b0fc19bc0fec52dc048ca378459
- SHA256
  
  bffb9e1b30a3db4655d29f0671caf6e50d10f047329abdb99bbb81c4c9c668cc
- SHA512
  
  a45e4c66f1395e34c81b481795a24aebaace684e349e02bc14b8c00d3587e5f7ddd57a8b36810b751e25244cc832a207bcd7b077bf6154c8658d778f2adbb212
- SSDEEP
  
  24576:oOrp3UZ5Uzp7GCJOE5avlSGnwZ4MuJDCIzUvOh1Ot:oOrpWe7GeOxMGwZ45DHic
Score

1^/10
behavioral3
- Target
  
  vk_swiftshader.dll
- Size
  
  5.1MB
- MD5
  
  b0e40a40b53d79bb04c29ce593ef8c13
- SHA1
  
  4820c6ff151578dc5cc37eea478a2a622325237d
- SHA256
  
  d81546bce0c5671f4101da450b62dcdd98c7c71f063b9863fcfa17c9f20f4ca9
- SHA512
  
  08aab10fc45b6fb3d82201ddba154c132661f12fa059f6bddb4f8a4711badc9f9004fdafd12a2df7de69c49be797d19dacf9816ef19f5e10bd0070ed556c28b7
- SSDEEP
  
  49152:C11wwg+2zcmMotjXHCT1H8mcKdPricwQ+XK2fDZEAjPe9pZzDs9VafQKkqo66lKK:m1rGM2t14ZzmVqQ3t3
Score

1^/10
behavioral4
- Target
  
  vulkan-1.dll
- Size
  
  970KB
- MD5
  
  909a565934a345ba9e03c9fee41b01b0
- SHA1
  
  0637b6a8e8dcd1d8921b70fd287497500d6e8414
- SHA256
  
  9bb9e4518b12181adabeef90cda8be63b14c48d5530edd09d3f94d6bf5dc9637
- SHA512
  
  49a7e2dc30c62ced4e677cf9da0c0470e6c0a630527c406bf1bf389e71c5f3fce59ed15c1359f94abbf037ff27ed704386133ab5b3e63f4f7e92d526a5e3dd66
- SSDEEP
  
  24576:AZZuQ8uG53XLvUMbJg6Z5W1DYsHq6g3P0zAk7J1eXdoG:KYL53XLvvJg6Z5W1DYsHq6g3P0zAk7J
Score

1^/10
behavioral5