General
-
Target
https://www.bing.com/ck/a?!&&p=7223733d12869f75JmltdHM9MTcxOTE4NzIwMCZpZ3VpZD0yMTU4ODExMi0yYmQzLTZhYmEtMzhhOC05NWJhMmFjMTZiYmQmaW5zaWQ9NTIxOA&ptn=3&ver=2&hsh=3&fclid=21588112-2bd3-6aba-38a8-95ba2ac16bbd&psq=gta+5+launcher+file+download&u=a1aHR0cHM6Ly93d3cuZ3RhNS1tb2RzLmNvbS90b29scy9ndGEtdi1sYXVuY2hlcg&ntb=1
-
Sample
240624-q566havfrg
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.bing.com/ck/a?!&&p=7223733d12869f75JmltdHM9MTcxOTE4NzIwMCZpZ3VpZD0yMTU4ODExMi0yYmQzLTZhYmEtMzhhOC05NWJhMmFjMTZiYmQmaW5zaWQ9NTIxOA&ptn=3&ver=2&hsh=3&fclid=21588112-2bd3-6aba-38a8-95ba2ac16bbd&psq=gta+5+launcher+file+download&u=a1aHR0cHM6Ly93d3cuZ3RhNS1tb2RzLmNvbS90b29scy9ndGEtdi1sYXVuY2hlcg&ntb=1
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
https://www.bing.com/ck/a?!&&p=7223733d12869f75JmltdHM9MTcxOTE4NzIwMCZpZ3VpZD0yMTU4ODExMi0yYmQzLTZhYmEtMzhhOC05NWJhMmFjMTZiYmQmaW5zaWQ9NTIxOA&ptn=3&ver=2&hsh=3&fclid=21588112-2bd3-6aba-38a8-95ba2ac16bbd&psq=gta+5+launcher+file+download&u=a1aHR0cHM6Ly93d3cuZ3RhNS1tb2RzLmNvbS90b29scy9ndGEtdi1sYXVuY2hlcg&ntb=1
Resource
win11-20240508-en
Malware Config
Extracted
redline
cheat
185.222.58.70:55615
Targets
-
-
Target
https://www.bing.com/ck/a?!&&p=7223733d12869f75JmltdHM9MTcxOTE4NzIwMCZpZ3VpZD0yMTU4ODExMi0yYmQzLTZhYmEtMzhhOC05NWJhMmFjMTZiYmQmaW5zaWQ9NTIxOA&ptn=3&ver=2&hsh=3&fclid=21588112-2bd3-6aba-38a8-95ba2ac16bbd&psq=gta+5+launcher+file+download&u=a1aHR0cHM6Ly93d3cuZ3RhNS1tb2RzLmNvbS90b29scy9ndGEtdi1sYXVuY2hlcg&ntb=1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Probable phishing domain
-
Suspicious use of SetThreadContext
-