General
-
Target
ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683
-
Size
1.0MB
-
Sample
230324-epnhnseb4w
-
MD5
77c45c0debb608b80b97ad7a6bf2a645
-
SHA1
a6060a05095ec32126651112b005a1499f2fea0c
-
SHA256
ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683
-
SHA512
82d201e3659d9971cc9d92dd0d8e256cfa579c16e352bd63627cbe070ff40cc52422b83567397d7b82f18af8f3b6619f5e4dbd4d6ad40ffdc11a2d5cabb3333f
-
SSDEEP
24576:hyhqTTy4gz6Xwuj1cuiYKMYB4Y6aoG5okpNcQeY:UhqTl3NsujaoGiW
Static task
static1
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
bolt
193.233.20.31:4125
-
auth_value
29540c7bf0277243e2faf6601e15a754
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
USA
65.108.152.34:37345
-
auth_value
01ecb56953469aaed8efad25c0f68a64
Extracted
aurora
212.87.204.93:8081
94.142.138.215:8081
Targets
-
-
Target
ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683
-
Size
1.0MB
-
MD5
77c45c0debb608b80b97ad7a6bf2a645
-
SHA1
a6060a05095ec32126651112b005a1499f2fea0c
-
SHA256
ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683
-
SHA512
82d201e3659d9971cc9d92dd0d8e256cfa579c16e352bd63627cbe070ff40cc52422b83567397d7b82f18af8f3b6619f5e4dbd4d6ad40ffdc11a2d5cabb3333f
-
SSDEEP
24576:hyhqTTy4gz6Xwuj1cuiYKMYB4Y6aoG5okpNcQeY:UhqTl3NsujaoGiW
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-