General
-
Target
9480e8b5b5d3b10d6d8ce91c81a260057d8c22740960960a05cc338b3c8e3073.exe
-
Size
383KB
-
Sample
221121-sgzgvsac4y
-
MD5
249afc0c47910087eb313fb999b7bc4c
-
SHA1
7389d6eeb571bfa4731a06deb9535996d2c1828f
-
SHA256
9480e8b5b5d3b10d6d8ce91c81a260057d8c22740960960a05cc338b3c8e3073
-
SHA512
af8581f9ecb2fd7475b86c02159cb16c79973e12bd914cefb885400bc3ea6fb01749aabe3d89d66c084c60db2310afec9bda0c3ea3ad2906800f1e8c6e6d712e
-
SSDEEP
6144:+iWKESG24OQjFnM6X4nLlHxmbxS5t8EovmIi+IJmk9nSTtT6V12RBq1DooGHp38V:6SG1InLlakHoOIizLdgswRBq1iJ8
Static task
static1
Behavioral task
behavioral1
Sample
9480e8b5b5d3b10d6d8ce91c81a260057d8c22740960960a05cc338b3c8e3073.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9480e8b5b5d3b10d6d8ce91c81a260057d8c22740960960a05cc338b3c8e3073.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
redline
Lyla19.11
185.215.113.216:21921
-
auth_value
d794b35d7fc2b68cd29e01294b41b9b6
Extracted
redline
top1
chardhesha.xyz:81
jalocliche.xyz:81
-
auth_value
fa2afa98a6579319e36e31ee0552bd57
Targets
-
-
Target
9480e8b5b5d3b10d6d8ce91c81a260057d8c22740960960a05cc338b3c8e3073.exe
-
Size
383KB
-
MD5
249afc0c47910087eb313fb999b7bc4c
-
SHA1
7389d6eeb571bfa4731a06deb9535996d2c1828f
-
SHA256
9480e8b5b5d3b10d6d8ce91c81a260057d8c22740960960a05cc338b3c8e3073
-
SHA512
af8581f9ecb2fd7475b86c02159cb16c79973e12bd914cefb885400bc3ea6fb01749aabe3d89d66c084c60db2310afec9bda0c3ea3ad2906800f1e8c6e6d712e
-
SSDEEP
6144:+iWKESG24OQjFnM6X4nLlHxmbxS5t8EovmIi+IJmk9nSTtT6V12RBq1DooGHp38V:6SG1InLlakHoOIizLdgswRBq1iJ8
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-