General
-
Target
file.exe
-
Size
358KB
-
Sample
220912-x5hw8seab4
-
MD5
5ca78e4191699df68c9b08460c9f7a2a
-
SHA1
c419ffa4098ac2b5cd06a71d08bf8360c1e70631
-
SHA256
6b17d488dbf2b4ca6d6a8f0bd38ef68d006e3a3991b597f9be1cc56728038962
-
SHA512
3ff62786f59b3796416e4eb13707b3470d57560a45ef79392a15ea0c68f00b80fbf74b6aa06eb03e39738780ec9a4b82cd9327da036e87849bf8d9dd99441eaa
-
SSDEEP
6144:OlzcfHp87wQqTBguSyR8X6yTULyWFfxZ/j1nO8TYG0bAG+qQ6xT+UhbnKj7BPa+Q:Ol+JNN+uSyKXFTqFfxZ/j1nO8TYG0bAh
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
5
79.110.62.196:26277
-
auth_value
febe6965b41d2583ad2bb6b5aa23cfd5
Targets
-
-
Target
file.exe
-
Size
358KB
-
MD5
5ca78e4191699df68c9b08460c9f7a2a
-
SHA1
c419ffa4098ac2b5cd06a71d08bf8360c1e70631
-
SHA256
6b17d488dbf2b4ca6d6a8f0bd38ef68d006e3a3991b597f9be1cc56728038962
-
SHA512
3ff62786f59b3796416e4eb13707b3470d57560a45ef79392a15ea0c68f00b80fbf74b6aa06eb03e39738780ec9a4b82cd9327da036e87849bf8d9dd99441eaa
-
SSDEEP
6144:OlzcfHp87wQqTBguSyR8X6yTULyWFfxZ/j1nO8TYG0bAG+qQ6xT+UhbnKj7BPa+Q:Ol+JNN+uSyKXFTqFfxZ/j1nO8TYG0bAh
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-