General
-
Target
file.exe
-
Size
137KB
-
Sample
221017-sma2fscdbr
-
MD5
3e7476424f53cb86bde748a440f853a6
-
SHA1
8b5a86f7005196149a662df06ee7767be6bd403f
-
SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531
-
SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c
-
SSDEEP
3072:1YO/ZMTFzTDYI7TGDyJWLpVvDFToRPXhuSSYv:1YMZMBzTDY0ayJWX6pXh
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
1
80.76.51.172:19241
-
auth_value
4b711fa6f9a5187b40500266349c0baf
Targets
-
-
Target
file.exe
-
Size
137KB
-
MD5
3e7476424f53cb86bde748a440f853a6
-
SHA1
8b5a86f7005196149a662df06ee7767be6bd403f
-
SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531
-
SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c
-
SSDEEP
3072:1YO/ZMTFzTDYI7TGDyJWLpVvDFToRPXhuSSYv:1YMZMBzTDY0ayJWX6pXh
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-