General
-
Target
Launcherkasdk.rar
-
Size
676KB
-
Sample
240629-bpflaaxdqa
-
MD5
e7444bdafa960872781ee1cebb0cbf25
-
SHA1
51037a62cc2c5f9a9b3ac3a57495ddb83f4e5f01
-
SHA256
1b43ebe3171afb839bc0a7a64a9878aba6cb95a239c38474788b35f97134d268
-
SHA512
e89c356aee819155863243321a54c342d61ed331ff98384942fa64a65f2c9e2d7f15a1314064c2974f1115829a30243bea0d9076f1989a979c37207c6455f555
-
SSDEEP
12288:Uq21Q6B2hG+nUXoLJas4vvRYlHpA7gljfjgQXTDmoJD6zsUUR8CznYC:UVy6ohY4LMs4vpYlHC7c7kqKMSsbnzT
Static task
static1
Behavioral task
behavioral1
Sample
Launcherkasdk.rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Launcher.rar
Resource
win10v2004-20240508-en
Malware Config
Extracted
redline
185.196.9.26:6302
Targets
-
-
Target
Launcherkasdk.rar
-
Size
676KB
-
MD5
e7444bdafa960872781ee1cebb0cbf25
-
SHA1
51037a62cc2c5f9a9b3ac3a57495ddb83f4e5f01
-
SHA256
1b43ebe3171afb839bc0a7a64a9878aba6cb95a239c38474788b35f97134d268
-
SHA512
e89c356aee819155863243321a54c342d61ed331ff98384942fa64a65f2c9e2d7f15a1314064c2974f1115829a30243bea0d9076f1989a979c37207c6455f555
-
SSDEEP
12288:Uq21Q6B2hG+nUXoLJas4vvRYlHpA7gljfjgQXTDmoJD6zsUUR8CznYC:UVy6ohY4LMs4vpYlHC7c7kqKMSsbnzT
Score3/10 -
-
-
Target
Launcher.rar
-
Size
676KB
-
MD5
68603903ea068883390282f93a3a7450
-
SHA1
c1dc730110b074cee1054655b824800bf78de176
-
SHA256
33f6acf3e36f00f1de834cf74e1ac5aad424d37f1cb1bcf42c0e507b673f50d3
-
SHA512
5717e4bbb2e82bf8ad554f9855031f88484eb6adcb596a516e8d928baa7565cccca277b16e16997ec483a47ba691131cd9942001d7b51281edaa3ccc45137e99
-
SSDEEP
12288:dq21Q6B2hG+nUXoLJas4vvRYlHpA7gljfjgQXTDmoJD6zsUUR8CznYx:dVy6ohY4LMs4vpYlHC7c7kqKMSsbnza
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-