General
-
Target
0192d35c916b3a26132cef7dd09dbabe.exe
-
Size
952KB
-
Sample
230321-gtrr1aba5t
-
MD5
0192d35c916b3a26132cef7dd09dbabe
-
SHA1
9480935bca8e7c22c379e894633ad59acae0c871
-
SHA256
06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5
-
SHA512
614d1a0159834c7d8ca086455366912beba7398d9764fa21d6f4e05015d31abf4d4d9ffe289379848858e12a09cf4ae4cf17348d8182336aab3e9965679ba03b
-
SSDEEP
24576:syFzLdzags/31Oqoj83ZR2hJzSknQBlL13M64C:bhFaXOqoj83ZVT5MF
Static task
static1
Behavioral task
behavioral1
Sample
0192d35c916b3a26132cef7dd09dbabe.exe
Resource
win7-20230220-en
Malware Config
Extracted
https://www.mdegmm.com/pdf/debug2.ps1
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
14
45.12.253.144:40145
-
auth_value
6528d0f243ad9e530a68f2a487521a80
Targets
-
-
Target
0192d35c916b3a26132cef7dd09dbabe.exe
-
Size
952KB
-
MD5
0192d35c916b3a26132cef7dd09dbabe
-
SHA1
9480935bca8e7c22c379e894633ad59acae0c871
-
SHA256
06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5
-
SHA512
614d1a0159834c7d8ca086455366912beba7398d9764fa21d6f4e05015d31abf4d4d9ffe289379848858e12a09cf4ae4cf17348d8182336aab3e9965679ba03b
-
SSDEEP
24576:syFzLdzags/31Oqoj83ZR2hJzSknQBlL13M64C:bhFaXOqoj83ZVT5MF
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-