General
-
Target
a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16.exe
-
Size
589KB
-
Sample
241008-ch3mxaxeqg
-
MD5
28a7627d5eb7367ce48656c15dd98188
-
SHA1
bf74de6c78c4f1b6977af3ec0abe4c49afbf16ee
-
SHA256
a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16
-
SHA512
46bdc7043c3d1821e1f71cf87fcb93fae3cefbe392a060c72c6ac33df2dc353f705fb79e47e20de6e4c7b4684b549d4ef20e83ffd758be8730d176f031c7f3f3
-
SSDEEP
12288:qAH5qwTvYqtp4VFZgdHgo2anVmndXlMDc3cUAmNOeY632lTSh3soF:qAXxtqmdAxanIdXOS5NOLM
Static task
static1
Behavioral task
behavioral1
Sample
a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
asyncrat
0.5.8
Default
176.111.174.140:6606
176.111.174.140:7707
176.111.174.140:8808
oTA1Qk0GTnww
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%Temp%
Targets
-
-
Target
a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16.exe
-
Size
589KB
-
MD5
28a7627d5eb7367ce48656c15dd98188
-
SHA1
bf74de6c78c4f1b6977af3ec0abe4c49afbf16ee
-
SHA256
a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16
-
SHA512
46bdc7043c3d1821e1f71cf87fcb93fae3cefbe392a060c72c6ac33df2dc353f705fb79e47e20de6e4c7b4684b549d4ef20e83ffd758be8730d176f031c7f3f3
-
SSDEEP
12288:qAH5qwTvYqtp4VFZgdHgo2anVmndXlMDc3cUAmNOeY632lTSh3soF:qAXxtqmdAxanIdXOS5NOLM
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2