General
-
Target
fb75412ff8a9aeee8bfbc0fefd3b8b04.bin
-
Size
671KB
-
Sample
230216-cj7y1sfa2t
-
MD5
968add83a160ec0339c1d94e071acc4d
-
SHA1
413e0ee8180ff9fd0ab90200356817c0c5fff26c
-
SHA256
75c22b6bd35f6a8f2861824280d22f924913e2d4e25727d356022c49bc4058a8
-
SHA512
79aea836a3443e91bfa8bf339752ed0d59c656d7c9ba049e727758a5d04b5c4450db16bf0ad1d8ee8a7fdf1b46faca077e7c24c978d4562fe13e998f0ee738b3
-
SSDEEP
12288:C8meJdl8k3Z7EYJL+n0V4A6c3BomqoHfOdeBc9KyUULAjvjWyiuZ+5P:seJdSkxEYV+n0V4A6cRomqUfOde8DDie
Static task
static1
Behavioral task
behavioral1
Sample
e90640f76e8b7cb2dbb8a4b43c3bd8e45fd79ae419389c126ac4d2bbc4bf25df.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e90640f76e8b7cb2dbb8a4b43c3bd8e45fd79ae419389c126ac4d2bbc4bf25df.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Extracted
amadey
3.66
193.233.20.2/Bn89hku/index.php
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Targets
-
-
Target
e90640f76e8b7cb2dbb8a4b43c3bd8e45fd79ae419389c126ac4d2bbc4bf25df.exe
-
Size
721KB
-
MD5
fb75412ff8a9aeee8bfbc0fefd3b8b04
-
SHA1
62fd49a9bd5b4ea6adf6ebdcd2bb4d9e0960b918
-
SHA256
e90640f76e8b7cb2dbb8a4b43c3bd8e45fd79ae419389c126ac4d2bbc4bf25df
-
SHA512
f4debd082c9e8b386fb7518adbbffc151ec8fab7928da0ebbd5dc01fb0cc1d5f5febc6a4c31670e1d2404eaa5275e3cfaef42a8567b662d773530a69d9870ba2
-
SSDEEP
12288:OMrIy90f1CGOrFx1bXpIKuUXsiQIP5kFn4ymQjji8Ka50MzHLVPlcOei6:OyYCGeFx1lbuUGIP5pyRuhi0MlPnN6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-