General
-
Target
70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0
-
Size
147KB
-
Sample
221126-1t7m1age59
-
MD5
0a4ecef563dd2052acc1ba9b60e3387c
-
SHA1
05bf9a8c35ece56e78a3da06a1d31561fbdf2f3b
-
SHA256
70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0
-
SHA512
86d7052f18444dfdb7207d98c2f442d9eb2c45d4b5b596f8280b7ed7ce01438547a9962a163949636cf5a78eb349807a558eb74d881c4e3da00088807ffd0b0d
-
SSDEEP
3072:ohEP75PCokia5JFkXqGaRcEQZsoVHIadP/:1TookbF8qGSQS4
Static task
static1
Malware Config
Extracted
redline
newlogs
77.73.133.70:38819
-
auth_value
05a73a1692c3aebb2a26f1a593237a77
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Extracted
redline
Main
109.206.243.58:81
-
auth_value
8d4fa15b87cebd556cbb5208a3db0fdc
Extracted
laplas
clipper.guru
-
api_key
c25400a81a220bbbc3cb779c59ab8b74c7b58ae3a99f465520cbd86c53bd630b
Extracted
remcos
Main
109.206.243.58:4541
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
15
-
connect_interval
3
-
copy_file
jdk.exe
-
copy_folder
Java
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Main-ABIEBJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Java Updater
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0
-
Size
147KB
-
MD5
0a4ecef563dd2052acc1ba9b60e3387c
-
SHA1
05bf9a8c35ece56e78a3da06a1d31561fbdf2f3b
-
SHA256
70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0
-
SHA512
86d7052f18444dfdb7207d98c2f442d9eb2c45d4b5b596f8280b7ed7ce01438547a9962a163949636cf5a78eb349807a558eb74d881c4e3da00088807ffd0b0d
-
SSDEEP
3072:ohEP75PCokia5JFkXqGaRcEQZsoVHIadP/:1TookbF8qGSQS4
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-