General
-
Target
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
Size
345KB
-
Sample
221018-aytntseafn
-
MD5
f1d121ab68b439ac310fb79119ffb044
-
SHA1
f952140c206d96843baa79f2e0e8454c07fa683a
-
SHA256
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
SHA512
ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
-
SSDEEP
6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE
Static task
static1
Behavioral task
behavioral1
Sample
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Targets
-
-
Target
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
Size
345KB
-
MD5
f1d121ab68b439ac310fb79119ffb044
-
SHA1
f952140c206d96843baa79f2e0e8454c07fa683a
-
SHA256
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
SHA512
ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
-
SSDEEP
6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-