General
-
Target
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
-
Size
107KB
-
Sample
230116-nwj89sac6v
-
MD5
ef682e7e7493f49e878955238c1f8548
-
SHA1
7daa4141036c73e92046fabe99a6e09c9c94ecd1
-
SHA256
0833f46bb63961a8f18cc5520fbc4b6741e9a76ed2ac5955ffbba3169af9ddfc
-
SHA512
5853af78e25b83859398255362c7d4ca27063e5bf2199b294aaf43e0c9ac0259f297330f4b03f3746214c794a74dcf0e22e9ce880d680dc93ac18afe3f544525
-
SSDEEP
3072:s23m64YF6H//7X8UlqHEm6S9cpeAFNgvZBjPH:d3P3F6bcHnVjPH
Behavioral task
behavioral1
Sample
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
amadey
3.66
62.204.41.27/9djZdj09/index.php
Extracted
redline
gula
62.204.41.211:4065
-
auth_value
4bef3143c3de8ce351d43c906a88fb8a
Extracted
redline
1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
b6c86adb7106e9ee7247628f59e06830
Extracted
redline
debra
62.204.41.211:4065
-
auth_value
24df232a5a333f96ae6fb8b270fed1ff
Extracted
redline
1111223333
82.115.223.9:15486
-
auth_value
64ab100c5a9f497dd18f093d7dc8818c
Targets
-
-
Target
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
-
Size
235KB
-
MD5
77e0a0a90e0231493bd421f4cdab0668
-
SHA1
b09f8951b42a2993b637df9e41f6a25be106c2cb
-
SHA256
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
-
SHA512
d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
SSDEEP
6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Registers COM server for autorun
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-