General
-
Target
67f5a24a7390b2ad13a1b62af6f19cf3fd5b2c0750fe718e79924c568a1e86b3
-
Size
1012KB
-
Sample
230324-gqaz3sef6w
-
MD5
41a6883d419a795c3218a556c94bd399
-
SHA1
8f72c237c5f0183f55144917745e31bc47af9c63
-
SHA256
67f5a24a7390b2ad13a1b62af6f19cf3fd5b2c0750fe718e79924c568a1e86b3
-
SHA512
92a80fe6d25bf12c10520221c11ffcc9cc55d4ad4302764ff5ec51ff03a3c9b2fe17e6b87975000cd03b8c7028406c3022740ffdacf1b33481ae871c6f996d53
-
SSDEEP
12288:UMr7y90G6LQlO7ZL3pdt6dIAMHcdn2Nhm58YKED/6QHysH0rM3W6LYBWqN2JI3ho:HywsMVTGI/H8nRZZ/JSsfW6LYkXe3y
Static task
static1
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
bolt
193.233.20.31:4125
-
auth_value
29540c7bf0277243e2faf6601e15a754
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
USA
65.108.152.34:37345
-
auth_value
01ecb56953469aaed8efad25c0f68a64
Extracted
aurora
94.142.138.215:8081
Targets
-
-
Target
67f5a24a7390b2ad13a1b62af6f19cf3fd5b2c0750fe718e79924c568a1e86b3
-
Size
1012KB
-
MD5
41a6883d419a795c3218a556c94bd399
-
SHA1
8f72c237c5f0183f55144917745e31bc47af9c63
-
SHA256
67f5a24a7390b2ad13a1b62af6f19cf3fd5b2c0750fe718e79924c568a1e86b3
-
SHA512
92a80fe6d25bf12c10520221c11ffcc9cc55d4ad4302764ff5ec51ff03a3c9b2fe17e6b87975000cd03b8c7028406c3022740ffdacf1b33481ae871c6f996d53
-
SSDEEP
12288:UMr7y90G6LQlO7ZL3pdt6dIAMHcdn2Nhm58YKED/6QHysH0rM3W6LYBWqN2JI3ho:HywsMVTGI/H8nRZZ/JSsfW6LYkXe3y
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-