General
-
Target
b45f5215f8b68c03efd7e53e1300ae81.exe
-
Size
523KB
-
Sample
230224-n9qcfabb52
-
MD5
b45f5215f8b68c03efd7e53e1300ae81
-
SHA1
ce29fdd9e10b93a7792386f03ae80c1e6be16082
-
SHA256
aa5fea254e58fd674f3bcff3809f678a29efbc9feadb4a871dd0804cb2f22983
-
SHA512
d25957900de85264ad1b3d6873bc0bb49096e6ca62df758712a0c2f579afebd9dd2a81c791d58e4f162735a39e0e64367b5fee40cd81983b6def3de006a87e06
-
SSDEEP
12288:gMrFy90Qa8LHIsieYN+5Iiz6D7YpEvW5vvyA+VIUIcQ:Vyk8Los9YN+5IiU7Y/nX+qzcQ
Static task
static1
Behavioral task
behavioral1
Sample
b45f5215f8b68c03efd7e53e1300ae81.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Extracted
redline
Hack
154.17.165.178:10377
-
auth_value
50233687e98ee274b44a32fcc741f9a4
Extracted
aurora
212.87.204.93:8081
Extracted
redline
Thomas
107.189.165.102:1919
-
auth_value
1a3e158dd21f084bceada6f65fc00a1c
Extracted
redline
fakus
193.233.20.20:4134
-
auth_value
df1662710f469c976f86cb47113cfd88
Targets
-
-
Target
b45f5215f8b68c03efd7e53e1300ae81.exe
-
Size
523KB
-
MD5
b45f5215f8b68c03efd7e53e1300ae81
-
SHA1
ce29fdd9e10b93a7792386f03ae80c1e6be16082
-
SHA256
aa5fea254e58fd674f3bcff3809f678a29efbc9feadb4a871dd0804cb2f22983
-
SHA512
d25957900de85264ad1b3d6873bc0bb49096e6ca62df758712a0c2f579afebd9dd2a81c791d58e4f162735a39e0e64367b5fee40cd81983b6def3de006a87e06
-
SSDEEP
12288:gMrFy90Qa8LHIsieYN+5Iiz6D7YpEvW5vvyA+VIUIcQ:Vyk8Los9YN+5IiU7Y/nX+qzcQ
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-