General
-
Target
1534960155795912767f0c903aab042c816efddbaae315f03b53f590501d8fbe
-
Size
280KB
-
Sample
220922-tc6aaaffbr
-
MD5
13f29cd8ac9782f446c79e83d5e099bf
-
SHA1
8ac177202195726fd8b917281dce14f3cf6a8c50
-
SHA256
1534960155795912767f0c903aab042c816efddbaae315f03b53f590501d8fbe
-
SHA512
4fa8579bc977c561d142f466ee22ba6b7bf8014f60930234bd7364fa017408beb4e1924d32eb6bc8dc3887c2cd4af6bd69031827e2580b76e3c3aaddd7eecaba
-
SSDEEP
6144:4BYIKgyi+aLFTlKCc1eWiAFVZpegMcD0eC/igavwVfQK:4BBECHKCc1akpe/N6Y
Static task
static1
Behavioral task
behavioral1
Sample
1534960155795912767f0c903aab042c816efddbaae315f03b53f590501d8fbe.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
1534960155795912767f0c903aab042c816efddbaae315f03b53f590501d8fbe
-
Size
280KB
-
MD5
13f29cd8ac9782f446c79e83d5e099bf
-
SHA1
8ac177202195726fd8b917281dce14f3cf6a8c50
-
SHA256
1534960155795912767f0c903aab042c816efddbaae315f03b53f590501d8fbe
-
SHA512
4fa8579bc977c561d142f466ee22ba6b7bf8014f60930234bd7364fa017408beb4e1924d32eb6bc8dc3887c2cd4af6bd69031827e2580b76e3c3aaddd7eecaba
-
SSDEEP
6144:4BYIKgyi+aLFTlKCc1eWiAFVZpegMcD0eC/igavwVfQK:4BBECHKCc1akpe/N6Y
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-