General
-
Target
dfd46f70d13e389b3ae88fe96d6cdfd0.bin.exe
-
Size
1.2MB
-
Sample
230317-mq4kaafg76
-
MD5
dfd46f70d13e389b3ae88fe96d6cdfd0
-
SHA1
22e1b207813edf3806c94f4bf1417563cdb1c770
-
SHA256
0a80b539c3544cea4be2be916a2c1c86390264d941ba873eb43f90eba682f782
-
SHA512
e9b102f6c1e8bccaf0fad3aa6d05324f6ff80045bfd143d5c3f1b1c66d5c127f2301548ca816b27a79b1e6a72364c5a4b3d9d0046ef5d149925ccd6010a3bcc9
-
SSDEEP
24576:ay4nG+SGEpD14bS/xKYWa8eE/awROxODaSEIGzjn6IeY8y:ayRzmKxKla8eE/adxOdwj
Static task
static1
Behavioral task
behavioral1
Sample
dfd46f70d13e389b3ae88fe96d6cdfd0.bin.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Extracted
amadey
3.68
62.204.41.59/wordpress/console2/index.php
Extracted
aurora
45.15.156.172:8081
Targets
-
-
Target
dfd46f70d13e389b3ae88fe96d6cdfd0.bin.exe
-
Size
1.2MB
-
MD5
dfd46f70d13e389b3ae88fe96d6cdfd0
-
SHA1
22e1b207813edf3806c94f4bf1417563cdb1c770
-
SHA256
0a80b539c3544cea4be2be916a2c1c86390264d941ba873eb43f90eba682f782
-
SHA512
e9b102f6c1e8bccaf0fad3aa6d05324f6ff80045bfd143d5c3f1b1c66d5c127f2301548ca816b27a79b1e6a72364c5a4b3d9d0046ef5d149925ccd6010a3bcc9
-
SSDEEP
24576:ay4nG+SGEpD14bS/xKYWa8eE/awROxODaSEIGzjn6IeY8y:ayRzmKxKla8eE/adxOdwj
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-