General
-
Target
c542127cb5f13e9d66bd3c89023ac843.exe
-
Size
191KB
-
Sample
220714-axyw6aeadl
-
MD5
c542127cb5f13e9d66bd3c89023ac843
-
SHA1
8e7746e8941053e70ac0fbfaf771619bad32cae3
-
SHA256
09b10c88bbc3847d274f7b734a701248833fa92efddc669a7a82e0d1401f7245
-
SHA512
47be3f021c34d36450b9f6001587b70470cbefa8b47aeff62c74d4b481e57db4186bd62da42bb22e075179961bfbad5a4b1cfc136321f65e0b98c2dbdcaae153
Static task
static1
Behavioral task
behavioral1
Sample
c542127cb5f13e9d66bd3c89023ac843.exe
Resource
win7-20220414-en
Malware Config
Extracted
redline
podgruzka
65.108.248.168:40517
-
auth_value
278b941b8ba9fb5e3ed7c830dd81e62c
Targets
-
-
Target
c542127cb5f13e9d66bd3c89023ac843.exe
-
Size
191KB
-
MD5
c542127cb5f13e9d66bd3c89023ac843
-
SHA1
8e7746e8941053e70ac0fbfaf771619bad32cae3
-
SHA256
09b10c88bbc3847d274f7b734a701248833fa92efddc669a7a82e0d1401f7245
-
SHA512
47be3f021c34d36450b9f6001587b70470cbefa8b47aeff62c74d4b481e57db4186bd62da42bb22e075179961bfbad5a4b1cfc136321f65e0b98c2dbdcaae153
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-