General
-
Target
8d082c523f28ce7df55a1439077c0f8d.bin
-
Size
921KB
-
Sample
230224-bxcjlabf9y
-
MD5
d44733b7f5f89c20fd78a8c0570e21ab
-
SHA1
0ea560ab0cd1d8e164783db48922634a58399158
-
SHA256
7d0fc0328219e4026d50ed9e86d9b138d5e55e24ab364461f68426e69eda0190
-
SHA512
0228de71a8fc80d4669ead62a3ca7a4fb201cd7d409805b049d59d986d659ce53411177d034d982dc8fd79a985f1f4dea4caec839b148376f532a21286805e4f
-
SSDEEP
24576:05DEDlOeoCkepiPWWjMaTi0NRgRjqc1mf:05oOVlTIR2x
Static task
static1
Behavioral task
behavioral1
Sample
3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Extracted
redline
funka
193.233.20.20:4134
-
auth_value
cdb395608d7ec633dce3d2f0c7fb0741
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
amadey
3.65
hellomr.observer/7gjD0Vs3d/index.php
researchersgokick.rocks/7gjD0Vs3d/index.php
pleasetake.pictures/7gjD0Vs3d/index.php
Extracted
redline
Hack
154.17.165.178:10377
-
auth_value
50233687e98ee274b44a32fcc741f9a4
Extracted
redline
Thomas
107.189.165.102:1919
-
auth_value
1a3e158dd21f084bceada6f65fc00a1c
Targets
-
-
Target
3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909.exe
-
Size
972KB
-
MD5
8d082c523f28ce7df55a1439077c0f8d
-
SHA1
1088c92c7a11b0d41d73e051fef4b492a8f542cf
-
SHA256
3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909
-
SHA512
5cbcd262831d05fb0700e8ddc659e9ba594089ef94a38e8d3c6ab5c85a6c84bc38b96e9260fb5f2d3d88b0180f8da0544a3b709f32ddb8ed934e63787f706950
-
SSDEEP
24576:KyC9O/uW3a2YECOy1Rheqt3bpsCXG6fubLG4ahBI8Awq27C2bbf:RqUuQa2YE9y16qpbplXGy4UzAwq8Ci
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-