General
-
Target
613a23dadd6cf4ddfe08a56b7f13f3c83b1a0ef2dba918539ec0d4003f9c06dd
-
Size
2.5MB
-
Sample
241110-hsl1ssscqb
-
MD5
e53f47ff9d95341b0655cac6f6dbf016
-
SHA1
44a20df0b51fac9e91d5a85d4cc177ec755a615d
-
SHA256
613a23dadd6cf4ddfe08a56b7f13f3c83b1a0ef2dba918539ec0d4003f9c06dd
-
SHA512
3150a499ba03a0fd60d219a09038618ff35aca6dbc6dc7ae61821bb0c3c780c2c32b3c6e36387ea9a116433ce7ae697ce1e586b1ef7976745f07d4f00a54de7d
-
SSDEEP
49152:+Vper5oxsTZ/SoFxO7+740Arnf9ctdTvoJ:tGxQ1M7+743rnEzS
Static task
static1
Behavioral task
behavioral1
Sample
1.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.msi
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
redline
ingineru
23.88.61.43:18472
-
auth_value
829f820f7d87919dad4b39d27cada24c
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
resulttoday2.duckdns.org:6111
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
1.msi
-
Size
354.2MB
-
MD5
3fec58a8814463d25e3c18eb95d4803f
-
SHA1
d19f99436a9e3d97285802ee7ed755aad4f6187d
-
SHA256
2e21637e26f39ce81a13107263f2e62e6e23b7d00466c77b98b2df3e06422121
-
SHA512
5092c48418cecbee2f1e02383e64a826d96eacd0ada9878b85dcb44f56e1c22a083e65b1b7eab56e7831dc740ffa978d456b02d77264e1913dc3db7a2f73c824
-
SSDEEP
98304:DpyS79tNaQiLb0icbxl+364Sp+364tgF:cSX09w
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
URFT06GSBAWRP_001_PDF.exe
-
Size
300.0MB
-
MD5
464753cd8a6523de0fba921ce6846177
-
SHA1
6b3b77af1129f9ad86acc31163d8450eacb4dbd3
-
SHA256
3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
-
SHA512
589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
SSDEEP
3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU
Score10/10-
Asyncrat family
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1System Binary Proxy Execution
1Msiexec
1