General
-
Target
Reverse IP By Mf4Tn.exe
-
Size
9.3MB
-
Sample
220819-w913yabfe3
-
MD5
086fb3b0ff1e3c6c351bd9e82465d395
-
SHA1
c02cdb69a41e442b7200bb7b1d191e8cd005a015
-
SHA256
f0fb578438edc3150919407abfc8ad167079ec3ac86bc84c3f93b2aa22fc73e8
-
SHA512
b284e55632d2bfea8ae87a36a1f3805b17fa26e944230b9f16b08f50ec93eb29d19d692f1a71c50e63897f4d95f473ab89e0cc3390289d39bc6bf8381ba85116
-
SSDEEP
196608:kp7uPLn/RNrlHAjoG+IGCsXDjDyf8H2WliXYrHW1LmFDXvCbfc+nGgC:HPDZxlHOFGCEDtH2ciIrHWRSDXvCbUq
Malware Config
Extracted
redline
1877
overthinker1877.duckdns.org:60732
Targets
-
-
Target
Reverse IP By Mf4Tn.exe
-
Size
9.3MB
-
MD5
086fb3b0ff1e3c6c351bd9e82465d395
-
SHA1
c02cdb69a41e442b7200bb7b1d191e8cd005a015
-
SHA256
f0fb578438edc3150919407abfc8ad167079ec3ac86bc84c3f93b2aa22fc73e8
-
SHA512
b284e55632d2bfea8ae87a36a1f3805b17fa26e944230b9f16b08f50ec93eb29d19d692f1a71c50e63897f4d95f473ab89e0cc3390289d39bc6bf8381ba85116
-
SSDEEP
196608:kp7uPLn/RNrlHAjoG+IGCsXDjDyf8H2WliXYrHW1LmFDXvCbfc+nGgC:HPDZxlHOFGCEDtH2ciIrHWRSDXvCbUq
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-