General
-
Target
a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4
-
Size
788KB
-
Sample
241104-zrlgbaxfll
-
MD5
89fc0e8fd47a6d12c2bbc8e17f427f96
-
SHA1
431fa52910d84c9356dfe0c0be902eb51cd4f05d
-
SHA256
a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4
-
SHA512
d6b6c36c153c4f5f5e14d868acf5f2aeeea729b954593714f5572634a2c42dd4335f3bbfd91b3f80b7dc577c96306b3cf07bf472b283636e65b895269d86b6ac
-
SSDEEP
12288:DLnFudzjfk3x6MiGE/f6ILTndVAGAokfprIKYa38+2oWzqWGCWd:DLFuFDuxsFbdVAdfpaasz9G7
Static task
static1
Behavioral task
behavioral1
Sample
a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
redline
JanKy1602
144.76.173.68:16125
-
auth_value
d120bf8ad3b470a7cb11934d38348aff
Targets
-
-
Target
a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4
-
Size
788KB
-
MD5
89fc0e8fd47a6d12c2bbc8e17f427f96
-
SHA1
431fa52910d84c9356dfe0c0be902eb51cd4f05d
-
SHA256
a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4
-
SHA512
d6b6c36c153c4f5f5e14d868acf5f2aeeea729b954593714f5572634a2c42dd4335f3bbfd91b3f80b7dc577c96306b3cf07bf472b283636e65b895269d86b6ac
-
SSDEEP
12288:DLnFudzjfk3x6MiGE/f6ILTndVAGAokfprIKYa38+2oWzqWGCWd:DLFuFDuxsFbdVAdfpaasz9G7
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4