General
-
Target
d7b1b7cb0c4121f9d3d293f60ff88d612df9f12319b884ebb58dbcce139061e8
-
Size
1.0MB
-
Sample
230324-eve4gseb6w
-
MD5
beedac201792d63db790f30c7021f06d
-
SHA1
86deb0ab328aa420d122594fb334938dd3469645
-
SHA256
d7b1b7cb0c4121f9d3d293f60ff88d612df9f12319b884ebb58dbcce139061e8
-
SHA512
c2aa5299412d48f90c57e4e22abe8fd709fc64fe410bada0fa7b9dc75a664d0ec4524b1283535e5d9c7a4e76ea9f93d5e7a89b07e2e797acfa23c2e12805bac9
-
SSDEEP
12288:xMrBy907UuBPKmmndqB/9/gTuHVAI5l64t4aYavqZoJEhVLvBWb0XDFafNJzvLyH:gyUKmQGuuqIjyWqaKh9Y0cfzvdMB
Static task
static1
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
bolt
193.233.20.31:4125
-
auth_value
29540c7bf0277243e2faf6601e15a754
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
USA
65.108.152.34:37345
-
auth_value
01ecb56953469aaed8efad25c0f68a64
Extracted
aurora
212.87.204.93:8081
Targets
-
-
Target
d7b1b7cb0c4121f9d3d293f60ff88d612df9f12319b884ebb58dbcce139061e8
-
Size
1.0MB
-
MD5
beedac201792d63db790f30c7021f06d
-
SHA1
86deb0ab328aa420d122594fb334938dd3469645
-
SHA256
d7b1b7cb0c4121f9d3d293f60ff88d612df9f12319b884ebb58dbcce139061e8
-
SHA512
c2aa5299412d48f90c57e4e22abe8fd709fc64fe410bada0fa7b9dc75a664d0ec4524b1283535e5d9c7a4e76ea9f93d5e7a89b07e2e797acfa23c2e12805bac9
-
SSDEEP
12288:xMrBy907UuBPKmmndqB/9/gTuHVAI5l64t4aYavqZoJEhVLvBWb0XDFafNJzvLyH:gyUKmQGuuqIjyWqaKh9Y0cfzvdMB
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-