General
-
Target
8078c3eb8f965b9af5d6c0a9478b9b15c0791d7ac2f8d73fd9c0082954975c84
-
Size
1021KB
-
Sample
230323-2w382aaf82
-
MD5
55395f8faa218c6ad356ad58ae90a037
-
SHA1
08997dd1bdaa5b5759e6df343e831c43d1f8ccba
-
SHA256
8078c3eb8f965b9af5d6c0a9478b9b15c0791d7ac2f8d73fd9c0082954975c84
-
SHA512
80b64df375f3f8488a5b35155fa0eaedbcc9044bf0e6d1cca51f640e6c28852b8ace5c29ebf202c5cc6f8bf43ebc5c4b1242c76689aae5940f82c2f334e087d0
-
SSDEEP
24576:7yWAybo0UzGOvtres3IuVacHMUjuiM6aGc2KckZn7o:uRyboBDN/bH8iMHz1Z
Static task
static1
Behavioral task
behavioral1
Sample
8078c3eb8f965b9af5d6c0a9478b9b15c0791d7ac2f8d73fd9c0082954975c84.exe
Resource
win10-20230220-en
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
lown
193.233.20.31:4125
-
auth_value
4cf836e062bcdc2a4fdbf410f5747ec7
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Targets
-
-
Target
8078c3eb8f965b9af5d6c0a9478b9b15c0791d7ac2f8d73fd9c0082954975c84
-
Size
1021KB
-
MD5
55395f8faa218c6ad356ad58ae90a037
-
SHA1
08997dd1bdaa5b5759e6df343e831c43d1f8ccba
-
SHA256
8078c3eb8f965b9af5d6c0a9478b9b15c0791d7ac2f8d73fd9c0082954975c84
-
SHA512
80b64df375f3f8488a5b35155fa0eaedbcc9044bf0e6d1cca51f640e6c28852b8ace5c29ebf202c5cc6f8bf43ebc5c4b1242c76689aae5940f82c2f334e087d0
-
SSDEEP
24576:7yWAybo0UzGOvtres3IuVacHMUjuiM6aGc2KckZn7o:uRyboBDN/bH8iMHz1Z
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-