General
-
Target
file.exe
-
Size
469KB
-
Sample
221025-pwrtsacgbr
-
MD5
1539cd68dd1d36dd3a7aa33bfc8fe4b0
-
SHA1
d8b14448c04ba934fa62d647e0cded3065b08c78
-
SHA256
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
-
SHA512
348f78b2250d6dc43c6e702e9920f4a878cf385821d148a0fd9529177d873ff6e19645a30f32a62882834095902de9a4426f36fd6b8700c4060211b67b2be137
-
SSDEEP
6144:FJptTCL5a66wILW273Xrnm2wrnnai0Kv+rEsk7puSbaA1PcQY8L68Cdt4mDKnC2r:3uL5j7n27Lm5nHirvir10QJL3fr
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Malware Config
Extracted
redline
1
80.76.51.172:19241
-
auth_value
4b711fa6f9a5187b40500266349c0baf
Targets
-
-
Target
file.exe
-
Size
469KB
-
MD5
1539cd68dd1d36dd3a7aa33bfc8fe4b0
-
SHA1
d8b14448c04ba934fa62d647e0cded3065b08c78
-
SHA256
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
-
SHA512
348f78b2250d6dc43c6e702e9920f4a878cf385821d148a0fd9529177d873ff6e19645a30f32a62882834095902de9a4426f36fd6b8700c4060211b67b2be137
-
SSDEEP
6144:FJptTCL5a66wILW273Xrnm2wrnnai0Kv+rEsk7puSbaA1PcQY8L68Cdt4mDKnC2r:3uL5j7n27Lm5nHirvir10QJL3fr
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-