Extracted

• • Target

    Malware.rar

  • Size

    100.4MB

  • MD5

    28994cb033237e2cebe133d34bf84075

  • SHA1

    b22906ccea6801d5d128998a52858615bdaf8b88

  • SHA256

    180f7ddc37ffdaf2031425bd863bb92cafb71e1e637f901eb5124a3b171c05bc

  • SHA512

    0e9bfe3cae7589489e16107d36f003b260343e89d3cb8916a68b023319b83454590b10cfe4f30e83905f463a3682379d10d5cc2ad0394bed92e9efef40182e0f

  • SSDEEP

    1572864:f2/9sgAlH0/iKTLdQ6m9Irlt2xx3GpK1343vYGklBRipFQ7Zq/nt:fS9sgGHSiKTxQPpLGs1IgGdrwq/t

  Score

  10^/10

  redlinerhadamanthyscredential_accessdiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationspywarestealertrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1