General
-
Target
7cf6b1d778d8e768db95c09e6896c63c.exe
-
Size
1.2MB
-
Sample
230318-hfrqhsde81
-
MD5
7cf6b1d778d8e768db95c09e6896c63c
-
SHA1
40696162fb8fde6c40b0974589eb567287382252
-
SHA256
ce5e75077840abb3d32d35eb8889f85e9aa2833c59288db001a0eac27dc07049
-
SHA512
e967aef8f53c0091125d86a070826d2f045b3b56f6f98e6baba6862317086899575521096076b1af166cb48cc02e94d37c970761573000fd36bc5c767c187763
-
SSDEEP
24576:DisFzwUeGh3ygDw0cRGhIFfbXRl7qOP36P0mvVOHVXQ9i1P:DTMUmP0ZhUfbXRl1PiJSXQ9i
Static task
static1
Behavioral task
behavioral1
Sample
7cf6b1d778d8e768db95c09e6896c63c.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Extracted
amadey
3.68
62.204.41.59/wordpress/console2/index.php
Extracted
aurora
45.15.156.172:8081
Targets
-
-
Target
7cf6b1d778d8e768db95c09e6896c63c.exe
-
Size
1.2MB
-
MD5
7cf6b1d778d8e768db95c09e6896c63c
-
SHA1
40696162fb8fde6c40b0974589eb567287382252
-
SHA256
ce5e75077840abb3d32d35eb8889f85e9aa2833c59288db001a0eac27dc07049
-
SHA512
e967aef8f53c0091125d86a070826d2f045b3b56f6f98e6baba6862317086899575521096076b1af166cb48cc02e94d37c970761573000fd36bc5c767c187763
-
SSDEEP
24576:DisFzwUeGh3ygDw0cRGhIFfbXRl7qOP36P0mvVOHVXQ9i1P:DTMUmP0ZhUfbXRl1PiJSXQ9i
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-