General
-
Target
06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5.zip
-
Size
908KB
-
Sample
230321-qp7gbsae63
-
MD5
a50fec17271d2e19c3067b1b6fc88ce1
-
SHA1
2980cd67b1e67c7b2e65cbd79026a339302fa142
-
SHA256
509ea331c1c53a870140d20e21881b83c298347218627f93ea989860db49912b
-
SHA512
9b62b44dbe5894797eb8ad28e09362fa94c144a61b3bb616b7180d2e796c0e0e12f342841db233057d314b1548e3b3c2db966a078b88b9e474e50d72c2082f5e
-
SSDEEP
24576:GSwxpae2IZ0vgstK8vvUmIf0lvwrPU4ncFf62N5sGmf7OGXnWyx:GvxAe9ZjstK8XUY8nuioWY1yx
Static task
static1
Behavioral task
behavioral1
Sample
06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5.exe
Resource
win7-20230220-en
Malware Config
Extracted
https://www.mdegmm.com/pdf/debug2.ps1
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
14
45.12.253.144:40145
-
auth_value
6528d0f243ad9e530a68f2a487521a80
Targets
-
-
Target
06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5.exe
-
Size
952KB
-
MD5
0192d35c916b3a26132cef7dd09dbabe
-
SHA1
9480935bca8e7c22c379e894633ad59acae0c871
-
SHA256
06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5
-
SHA512
614d1a0159834c7d8ca086455366912beba7398d9764fa21d6f4e05015d31abf4d4d9ffe289379848858e12a09cf4ae4cf17348d8182336aab3e9965679ba03b
-
SSDEEP
24576:syFzLdzags/31Oqoj83ZR2hJzSknQBlL13M64C:bhFaXOqoj83ZVT5MF
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-