General
-
Target
47b88f5a97adbafa81ca0f1459ed733c7f989606717a7b6bef4ac2df95a125b9
-
Size
3.7MB
-
Sample
220310-z8lhmsefhq
-
MD5
366b29db8a1f3bf7e140485a6a7a7088
-
SHA1
5be4a50a0168011ebcd0cb8308ff1e8b019a84f8
-
SHA256
47b88f5a97adbafa81ca0f1459ed733c7f989606717a7b6bef4ac2df95a125b9
-
SHA512
d2731eb96eb25c1ce4239ebe78115ced7b4e051e2505c1c5ab1d6b2e72c351d9466e5f35f4bd2eca748a2c4416743afe7d903fedc5f0e8de36dd90f11c43457c
Static task
static1
Behavioral task
behavioral1
Sample
47b88f5a97adbafa81ca0f1459ed733c7f989606717a7b6bef4ac2df95a125b9.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
47b88f5a97adbafa81ca0f1459ed733c7f989606717a7b6bef4ac2df95a125b9.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
redline
Build1
45.142.213.135:30058
Targets
-
-
Target
47b88f5a97adbafa81ca0f1459ed733c7f989606717a7b6bef4ac2df95a125b9
-
Size
3.7MB
-
MD5
366b29db8a1f3bf7e140485a6a7a7088
-
SHA1
5be4a50a0168011ebcd0cb8308ff1e8b019a84f8
-
SHA256
47b88f5a97adbafa81ca0f1459ed733c7f989606717a7b6bef4ac2df95a125b9
-
SHA512
d2731eb96eb25c1ce4239ebe78115ced7b4e051e2505c1c5ab1d6b2e72c351d9466e5f35f4bd2eca748a2c4416743afe7d903fedc5f0e8de36dd90f11c43457c
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-