Overview
overview
10Static
static
3Discord Ni...or.exe
windows7-x64
Discord Ni...or.exe
windows10-2004-x64
10GFSDK_Shad...64.dll
windows7-x64
1GFSDK_Shad...64.dll
windows10-2004-x64
1Scrafy.dll
windows7-x64
1Scrafy.dll
windows10-2004-x64
1d3dcsx_46.dll
windows7-x64
1d3dcsx_46.dll
windows10-2004-x64
1keys.dll
windows7-x64
3keys.dll
windows10-2004-x64
3swds.dll
windows7-x64
3swds.dll
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:27
Static task
static1
Behavioral task
behavioral1
Sample
Discord Nitro Generator.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Discord Nitro Generator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
GFSDK_ShadowLib.win64.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
GFSDK_ShadowLib.win64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Scrafy.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Scrafy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
d3dcsx_46.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
d3dcsx_46.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
keys.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
keys.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
swds.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
swds.dll
Resource
win10v2004-20241007-en
General
-
Target
Discord Nitro Generator.exe
-
Size
1.8MB
-
MD5
0bcb060add426e4fa9d052ad82067593
-
SHA1
618e6f67f1d48b4500419876a3524f2ebd1465fb
-
SHA256
2df99efadd0746be4481aa3a94e27cf0f1d2e432d17523f882390730e1870559
-
SHA512
84bb8ebffce8ceb8796e39940f9342ead91e8d3cfe45cb2fa2eb7674df0cde7a91dc520fef50f775d7649411f6ac4c115ad52c8fe8eea10e7d245bd7a35d1ec8
-
SSDEEP
49152:/StVHaauEgXuGU5hT9opy0fAS8wzdm4MQoy9UsveXIGg090IlrS0cMMExl:/StVHa/p+b9oA0f58qoy9UsveXmIlr6i
Malware Config
Extracted
redline
185.200.191.18:80
-
auth_value
6a6d2013394e24ff36af9394a7517801
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3100-5-0x00000000003A0000-0x00000000003C0000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1676 set thread context of 3100 1676 Discord Nitro Generator.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Discord Nitro Generator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1676 wrote to memory of 3100 1676 Discord Nitro Generator.exe 86 PID 1676 wrote to memory of 3100 1676 Discord Nitro Generator.exe 86 PID 1676 wrote to memory of 3100 1676 Discord Nitro Generator.exe 86 PID 1676 wrote to memory of 3100 1676 Discord Nitro Generator.exe 86 PID 1676 wrote to memory of 3100 1676 Discord Nitro Generator.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3100
-