General
-
Target
beb38b475d203dd46d3d1fa63ca34a83df6c45775b348279a5dc19ef1a861336
-
Size
328KB
-
Sample
220927-z6y1ysefb6
-
MD5
56cd93b278ab2458de2f72c977bbcbea
-
SHA1
9c21edeb3d2552bedfaf1c9eb0e6fcf19f78d98b
-
SHA256
beb38b475d203dd46d3d1fa63ca34a83df6c45775b348279a5dc19ef1a861336
-
SHA512
87e06b9787a17f032999621829c2152f753ed4654efd6662613414474f6e9ed9e6c464afc93c6a848a1541e2385bd5de04fef3a8f33f6df60d7f8ea632d16831
-
SSDEEP
3072:EzXsv40EYmGO5zU1EfF5r0fnS/BOdZw7y2exSOX40KVOM/h3BsxkgaBChU/pZa9u:Er70eSE4fn3s7RewOX40iOnigabwVfs
Static task
static1
Behavioral task
behavioral1
Sample
beb38b475d203dd46d3d1fa63ca34a83df6c45775b348279a5dc19ef1a861336.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
11
51.89.201.21:7161
-
auth_value
e6aadafed1fda7723d7655a5894828d2
Extracted
redline
inslab26
185.182.194.25:8251
-
auth_value
7c9cbd0e489a3c7fd31006406cb96f5b
Extracted
redline
981705428_wsiv2wqu
179.43.175.170:38766
-
auth_value
ea424abde1f4c7328dd41ad4f28f74d4
Targets
-
-
Target
beb38b475d203dd46d3d1fa63ca34a83df6c45775b348279a5dc19ef1a861336
-
Size
328KB
-
MD5
56cd93b278ab2458de2f72c977bbcbea
-
SHA1
9c21edeb3d2552bedfaf1c9eb0e6fcf19f78d98b
-
SHA256
beb38b475d203dd46d3d1fa63ca34a83df6c45775b348279a5dc19ef1a861336
-
SHA512
87e06b9787a17f032999621829c2152f753ed4654efd6662613414474f6e9ed9e6c464afc93c6a848a1541e2385bd5de04fef3a8f33f6df60d7f8ea632d16831
-
SSDEEP
3072:EzXsv40EYmGO5zU1EfF5r0fnS/BOdZw7y2exSOX40KVOM/h3BsxkgaBChU/pZa9u:Er70eSE4fn3s7RewOX40iOnigabwVfs
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-