General
-
Target
1956-57-0x0000000001340000-0x000000000219C000-memory.dmp
-
Size
14.4MB
-
Sample
220831-tbk8qagddl
-
MD5
4d1170fc0164dba2a4b599984aaa577c
-
SHA1
3fbce63706e3c17294411a751b683b734c2cf4eb
-
SHA256
dcb4a5db6b0cf4459a1ce543feea4e90b5df60cf55df4a2513c967fdec37f50c
-
SHA512
5fc303f940991e7b8535a277785e6f424a8dde24cdbb8812fa02ed988aebe9007464693e37eec02af86e947a0e8a84ebb041fec8165f47a1e944e1bacfd1bb44
-
SSDEEP
196608:8yCFRy8/D8gz9PWY6pjCCoFeIkMIXUjwu6wysbxzwdGqw9m8jP6zd+uO0:+bYU9PbQMFe/UjpLy4xE+J6zE
Behavioral task
behavioral1
Sample
1956-57-0x0000000001340000-0x000000000219C000-memory.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
2
116.203.187.3:14916
-
auth_value
1c0b2a7d9265a0bd7186c9687fe62c4e
Targets
-
-
Target
1956-57-0x0000000001340000-0x000000000219C000-memory.dmp
-
Size
14.4MB
-
MD5
4d1170fc0164dba2a4b599984aaa577c
-
SHA1
3fbce63706e3c17294411a751b683b734c2cf4eb
-
SHA256
dcb4a5db6b0cf4459a1ce543feea4e90b5df60cf55df4a2513c967fdec37f50c
-
SHA512
5fc303f940991e7b8535a277785e6f424a8dde24cdbb8812fa02ed988aebe9007464693e37eec02af86e947a0e8a84ebb041fec8165f47a1e944e1bacfd1bb44
-
SSDEEP
196608:8yCFRy8/D8gz9PWY6pjCCoFeIkMIXUjwu6wysbxzwdGqw9m8jP6zd+uO0:+bYU9PbQMFe/UjpLy4xE+J6zE
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-