General
-
Target
4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed
-
Size
1.1MB
-
Sample
230221-aajtqada77
-
MD5
6aa87cec8a0369c3e1e66b4183cb6fee
-
SHA1
a53c5c47323e84d2955a785c33a815abaa05906d
-
SHA256
4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed
-
SHA512
e842e068e07ab21c038f26c87a83c23de09230af396323e67b3d6fb4d176d7dcb6af5b8a7d947c7b4287a986044792060e564b094aa1c39917b6d46fe5577a48
-
SSDEEP
24576:cynKpJUWBTz435ag2SHqjCyVwLNl4TrOG6KaF2vJfvnl2dCjYxXrXiSq:LnKp+WBTz4aSG9iL7saL/2vJV1ErSS
Static task
static1
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Extracted
redline
fucna
193.233.20.17:4139
-
auth_value
16ab0f6ba753ccbeb028722745cf846f
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
redline
kk1
176.113.115.17:4132
-
auth_value
df169d3f7f631272f7c6bd9a1bb603c3
Targets
-
-
Target
4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed
-
Size
1.1MB
-
MD5
6aa87cec8a0369c3e1e66b4183cb6fee
-
SHA1
a53c5c47323e84d2955a785c33a815abaa05906d
-
SHA256
4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed
-
SHA512
e842e068e07ab21c038f26c87a83c23de09230af396323e67b3d6fb4d176d7dcb6af5b8a7d947c7b4287a986044792060e564b094aa1c39917b6d46fe5577a48
-
SSDEEP
24576:cynKpJUWBTz435ag2SHqjCyVwLNl4TrOG6KaF2vJfvnl2dCjYxXrXiSq:LnKp+WBTz4aSG9iL7saL/2vJV1ErSS
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-