General
-
Target
file.exe
-
Size
35KB
-
Sample
230105-hm3flaef4v
-
MD5
d99d4989355a51b4de84df9f5eec9122
-
SHA1
aff7b79038862d65d22c64b228b64c945f415e0d
-
SHA256
6a76080cc3b34c768275c7409513aa8870b73d37fbdbe4a50ba4e14f026976f6
-
SHA512
d81ef4edd11bf9d9facd4633874e0d12d6c4d8451d6813ef1bcb2c58843c2220a6248b6e627e03dbd2bee1edda5a06cc31029fcb6f000288bca8e129ce389d86
-
SSDEEP
768:0WhNNkg4XVa0V+jCnksy4r/wOPpdwMNhghy0qt:0Wh0FXVa01c4kmTghy0w
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://62.204.41.194/go.png
Extracted
http://62.204.41.194/F1.exe
Extracted
http://62.204.41.194/me.png
Extracted
redline
$
31.41.244.135:19850
-
auth_value
66623f79e2af33286760f5dd6c4262dc
Targets
-
-
Target
file.exe
-
Size
35KB
-
MD5
d99d4989355a51b4de84df9f5eec9122
-
SHA1
aff7b79038862d65d22c64b228b64c945f415e0d
-
SHA256
6a76080cc3b34c768275c7409513aa8870b73d37fbdbe4a50ba4e14f026976f6
-
SHA512
d81ef4edd11bf9d9facd4633874e0d12d6c4d8451d6813ef1bcb2c58843c2220a6248b6e627e03dbd2bee1edda5a06cc31029fcb6f000288bca8e129ce389d86
-
SSDEEP
768:0WhNNkg4XVa0V+jCnksy4r/wOPpdwMNhghy0qt:0Wh0FXVa01c4kmTghy0w
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-