General
-
Target
148fc1465a16eef8eb5dc3de875f00bc0eef7fd57e3d28c0b5825252cb2f7d90
-
Size
403KB
-
Sample
220704-nz7tqshacl
-
MD5
1f559ea7319cb10511bdc8ab2b9f04dc
-
SHA1
7cc3512e906ce97870fda5756096454887ba8642
-
SHA256
148fc1465a16eef8eb5dc3de875f00bc0eef7fd57e3d28c0b5825252cb2f7d90
-
SHA512
1b1b7dd9d8c4eec459e3a55421a0139ce20c3f146cfa3933bf91b26f0f66e694f7d43d2971671f84c1b75bccdf55fdbaad1ab9da9e2945a300d2b766b8c8377d
Static task
static1
Behavioral task
behavioral1
Sample
148fc1465a16eef8eb5dc3de875f00bc0eef7fd57e3d28c0b5825252cb2f7d90.exe
Resource
win10-20220414-en
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Extracted
redline
193.233.193.49:11906
-
auth_value
ad5cd49e075db8527ecb265d0bf18710
Targets
-
-
Target
148fc1465a16eef8eb5dc3de875f00bc0eef7fd57e3d28c0b5825252cb2f7d90
-
Size
403KB
-
MD5
1f559ea7319cb10511bdc8ab2b9f04dc
-
SHA1
7cc3512e906ce97870fda5756096454887ba8642
-
SHA256
148fc1465a16eef8eb5dc3de875f00bc0eef7fd57e3d28c0b5825252cb2f7d90
-
SHA512
1b1b7dd9d8c4eec459e3a55421a0139ce20c3f146cfa3933bf91b26f0f66e694f7d43d2971671f84c1b75bccdf55fdbaad1ab9da9e2945a300d2b766b8c8377d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
-
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M2
-
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity M3
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-