General
-
Target
7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2
-
Size
316KB
-
Sample
220927-pz1absefbj
-
MD5
b020d423131a7b019ae75d4d70b93c42
-
SHA1
ad8c4a06858964a918c01bd4e9b66b37a94743c6
-
SHA256
7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2
-
SHA512
e9daf96cdc7d09c05d33fb3b6f4efab38a91be4f243a9a3a317a4542a1d2ca0634a918a6e713dd917d38cef4200449caddd140933d8c0952316d01997e6bbfeb
-
SSDEEP
3072:Me4X1ah9NN9g+X25h3c4DR82hKajyrTeLQo0KpYRXqeM/h3BsxkgaBChU/pZa9uk:MeM2i+kcqhBPQo0LXhnigabwVf
Static task
static1
Behavioral task
behavioral1
Sample
7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
inslab26
185.182.194.25:8251
-
auth_value
7c9cbd0e489a3c7fd31006406cb96f5b
Extracted
redline
11
77.73.134.27:7161
-
auth_value
e6aadafed1fda7723d7655a5894828d2
Extracted
raccoon
aeea23901ace2687ada0edd1d2615c7f
http://77.73.134.31/
Targets
-
-
Target
7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2
-
Size
316KB
-
MD5
b020d423131a7b019ae75d4d70b93c42
-
SHA1
ad8c4a06858964a918c01bd4e9b66b37a94743c6
-
SHA256
7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2
-
SHA512
e9daf96cdc7d09c05d33fb3b6f4efab38a91be4f243a9a3a317a4542a1d2ca0634a918a6e713dd917d38cef4200449caddd140933d8c0952316d01997e6bbfeb
-
SSDEEP
3072:Me4X1ah9NN9g+X25h3c4DR82hKajyrTeLQo0KpYRXqeM/h3BsxkgaBChU/pZa9uk:MeM2i+kcqhBPQo0LXhnigabwVf
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-