General
-
Target
file.exe
-
Size
1.7MB
-
Sample
240910-xcwydsyerp
-
MD5
979d8a371c97ed8f2438e6809064dcd9
-
SHA1
56b6b7eb3a1d2a9fdf2c7cbc5a253b72adcf5a29
-
SHA256
b6c12a25d818dde41b6b677104f2f3de495a8175af811b5a71fc91e43c12c3fc
-
SHA512
64c776cd89299beb89792ce05514150086ea05344a7917533b10b9bdf11330cf0d3fbf0d169b9d382b3020ad363d23490d7b2c32b67a43ca79d646aa0d37e576
-
SSDEEP
24576:0NA3R5drX/Wf1eYHpjovAA3HlaPnGAYh5stet5h52sKMJgvW69EvJuok0h8Rx59U:V5O9eYHloH3HlcGbDss/fvpvJuWiXU
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
45.91.202.63:25415
Targets
-
-
Target
file.exe
-
Size
1.7MB
-
MD5
979d8a371c97ed8f2438e6809064dcd9
-
SHA1
56b6b7eb3a1d2a9fdf2c7cbc5a253b72adcf5a29
-
SHA256
b6c12a25d818dde41b6b677104f2f3de495a8175af811b5a71fc91e43c12c3fc
-
SHA512
64c776cd89299beb89792ce05514150086ea05344a7917533b10b9bdf11330cf0d3fbf0d169b9d382b3020ad363d23490d7b2c32b67a43ca79d646aa0d37e576
-
SSDEEP
24576:0NA3R5drX/Wf1eYHpjovAA3HlaPnGAYh5stet5h52sKMJgvW69EvJuok0h8Rx59U:V5O9eYHloH3HlcGbDss/fvpvJuWiXU
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2