General
-
Target
file.exe
-
Size
7.5MB
-
Sample
220922-q5s9msfdcn
-
MD5
a1936300c71efd096e2caca62af4c4a9
-
SHA1
cb2d0f1e56f7b8016ec5b61dd8e80a238b408715
-
SHA256
c992ef827d88ae7a24a9ae36ab7406ad9366f4783d258c8ac3957a2ab54c3d83
-
SHA512
a5a576e96511ae12e0bfb84d088f9dceabf2b53e570c723ac10079ceeb4f1ea3c31dd6cc6239b4b6b8836d0f8bc772b8adc6ac8b71d3b7c39a01af177d1784be
-
SSDEEP
196608:hRToN416hR2fFkD4fE+++9iTsCsa1nGzxDQUfyIb6H//OeVPlXMwN:583
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
redline
sep16as1
185.215.113.122:15386
-
auth_value
01795623e4e3747594c759aa084bc4a0
Extracted
redline
Lyla.22.09
185.215.113.216:21921
-
auth_value
2f19888cb6bad7fdc46df91dc06aacc5
Targets
-
-
Target
file.exe
-
Size
7.5MB
-
MD5
a1936300c71efd096e2caca62af4c4a9
-
SHA1
cb2d0f1e56f7b8016ec5b61dd8e80a238b408715
-
SHA256
c992ef827d88ae7a24a9ae36ab7406ad9366f4783d258c8ac3957a2ab54c3d83
-
SHA512
a5a576e96511ae12e0bfb84d088f9dceabf2b53e570c723ac10079ceeb4f1ea3c31dd6cc6239b4b6b8836d0f8bc772b8adc6ac8b71d3b7c39a01af177d1784be
-
SSDEEP
196608:hRToN416hR2fFkD4fE+++9iTsCsa1nGzxDQUfyIb6H//OeVPlXMwN:583
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Detectes Phoenix Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-