General
-
Target
991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9
-
Size
1.1MB
-
Sample
230321-x3q5tscf92
-
MD5
40087334566a94680dc0a9e8ce996521
-
SHA1
5987e93b183405cadda315d23680e21addfcc2ce
-
SHA256
991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9
-
SHA512
6a7a6593fed92df44971f75e7a20382e93bbcaf902473b44a1b12083c03e1ff2e5723c59795c8f3c808c5ec89bf3d767e0d7e04276aef8c9bf82515741522ba0
-
SSDEEP
24576:eyxFJW+WfTcxqcwOjuuZPXNvmr9kRTgs83E8Nkifi17M:tjJA7cxqxOjuuhXRoONgaMra
Static task
static1
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
sint
193.233.20.31:4125
-
auth_value
9d9b763b4dcfbff1c06ef4743cc0399e
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
mix1
80.85.156.168:20189
-
auth_value
4f9b36b8bfdf2607d3f0e623584037e2
Targets
-
-
Target
991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9
-
Size
1.1MB
-
MD5
40087334566a94680dc0a9e8ce996521
-
SHA1
5987e93b183405cadda315d23680e21addfcc2ce
-
SHA256
991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9
-
SHA512
6a7a6593fed92df44971f75e7a20382e93bbcaf902473b44a1b12083c03e1ff2e5723c59795c8f3c808c5ec89bf3d767e0d7e04276aef8c9bf82515741522ba0
-
SSDEEP
24576:eyxFJW+WfTcxqcwOjuuZPXNvmr9kRTgs83E8Nkifi17M:tjJA7cxqxOjuuhXRoONgaMra
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-