General
-
Target
566584a10ff7bd4442abc0e13b0f4dc263bbe61a0fbf0.exe
-
Size
794KB
-
Sample
220830-k5la5sgaf4
-
MD5
9c038c34e4d37410cecb1f20f90984d5
-
SHA1
ad16dea0d1f1d3eb45e8d8e1a040e42110ab1bec
-
SHA256
566584a10ff7bd4442abc0e13b0f4dc263bbe61a0fbf0a27c61bd92f511efe76
-
SHA512
5e5a5b357fe902b76b8c76a534904cc4ab588d9e558c1c5a6ad935326fa532873a27f6b1c9dd6c62aecc84ac791cc2442c9ef41c4151077d7499ed7c7e59b961
-
SSDEEP
6144:gHsV9Ig0yuLxcxxHz9Fl5iD4n3HVxx+BcUg+4oyss3MAy8IfSEA6gsumifLzJ6:4svBPnHJ5iERUghGUMAOSElgsumiT
Static task
static1
Behavioral task
behavioral1
Sample
566584a10ff7bd4442abc0e13b0f4dc263bbe61a0fbf0.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
VERIF01
please.c0nnect2me.ru:7777
-
auth_value
2eddda17dd5a8a8c16c28e7fe0f74b6c
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
566584a10ff7bd4442abc0e13b0f4dc263bbe61a0fbf0.exe
-
Size
794KB
-
MD5
9c038c34e4d37410cecb1f20f90984d5
-
SHA1
ad16dea0d1f1d3eb45e8d8e1a040e42110ab1bec
-
SHA256
566584a10ff7bd4442abc0e13b0f4dc263bbe61a0fbf0a27c61bd92f511efe76
-
SHA512
5e5a5b357fe902b76b8c76a534904cc4ab588d9e558c1c5a6ad935326fa532873a27f6b1c9dd6c62aecc84ac791cc2442c9ef41c4151077d7499ed7c7e59b961
-
SSDEEP
6144:gHsV9Ig0yuLxcxxHz9Fl5iD4n3HVxx+BcUg+4oyss3MAy8IfSEA6gsumifLzJ6:4svBPnHJ5iERUghGUMAOSElgsumiT
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-