General
-
Target
548ee02a30c2dcca5f3f91e90212ec29.bin
-
Size
988KB
-
Sample
230320-bn6q3sba78
-
MD5
75cc1b79fa27cc4ff3184c17d48649f4
-
SHA1
1e3f4372e8176549393895ba1b7d7866f1df89b7
-
SHA256
2c027dfb833767e388386c5e47adf05d0fd2fd071e3f70a363bc1e62724a3f0e
-
SHA512
dbd15dc1dec6be2e24bff8ed67beb0da4343558cfb88a3331ecd11b61c26ae577abb18083c62c52e4ca1b663658f168a9b00a086d93602f00770a27b4b730259
-
SSDEEP
24576:SxS4lKiPQ9Cvg3/psyBP/Wg5IECBdf00dymjB2NZbB120Q:S7/rvg3/6yBP/Wg5IEKdym0FQ
Static task
static1
Behavioral task
behavioral1
Sample
3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Extracted
redline
Rocket
95.217.188.21:7283
-
auth_value
0095203c91b01efccf3842dc176e53f2
Targets
-
-
Target
3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e.exe
-
Size
1.0MB
-
MD5
548ee02a30c2dcca5f3f91e90212ec29
-
SHA1
cff21359a3498e3f3e8def5c553a626363b49922
-
SHA256
3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e
-
SHA512
4f7be3d30ebd73bdd88a07601edfa7e83198338625f1769fba3ce764d6517662f64189830f56d1711590293f5acf89ab238027f2c4997aba546f19523e3e747a
-
SSDEEP
24576:WyapzRm+tB1T6qkoY0/WavTQmaHHT7o2cKC:lapFfT1OVt8lvTQZTRcK
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-