General
-
Target
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
-
Size
1.9MB
-
Sample
240702-cem32sscmb
-
MD5
eaa443f37443cb7221d63e0891243384
-
SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee
-
SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
-
SSDEEP
49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ
Static task
static1
Behavioral task
behavioral1
Sample
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
newlogs
85.28.47.7:17210
Extracted
stealc
ZOV
http://40.86.87.10
-
url_path
/108e010e8f91c38c.php
Extracted
redline
newbuild
185.215.113.67:40960
Targets
-
-
Target
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
-
Size
1.9MB
-
MD5
eaa443f37443cb7221d63e0891243384
-
SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee
-
SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
-
SSDEEP
49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-