General
-
Target
1c69a1b3116f4287ed85eece698dca49.exe
-
Size
1.0MB
-
Sample
230324-gtqvpsef71
-
MD5
1c69a1b3116f4287ed85eece698dca49
-
SHA1
8337da8c05c1d3951a5270d4cb4b5a414215f741
-
SHA256
86cd6b87e4ade0b8e0d440a956644837d4ced2552ea0d7890ef70df61d686c8f
-
SHA512
658881f895e253b1b8e8c94ab9c71adf00e0a3fd6794033e9201bde0d1a51e4aff10665ab7f9a2e7a66810bacb0cf8090caf465312d59e7fde52e27ff74e7fad
-
SSDEEP
24576:iyAJGBbFcso4QzQEqUhNMaGMdoOTt8cPMDZ7ITRu:JvBbF/o4QzEUhN2upTdMa
Static task
static1
Behavioral task
behavioral1
Sample
1c69a1b3116f4287ed85eece698dca49.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
bolt
193.233.20.31:4125
-
auth_value
29540c7bf0277243e2faf6601e15a754
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)
151.80.89.234:19388
-
auth_value
56af49c3278d982f9a41ef2abb7c4d09
Extracted
redline
USA
65.108.152.34:37345
-
auth_value
01ecb56953469aaed8efad25c0f68a64
Extracted
aurora
94.142.138.215:8081
Targets
-
-
Target
1c69a1b3116f4287ed85eece698dca49.exe
-
Size
1.0MB
-
MD5
1c69a1b3116f4287ed85eece698dca49
-
SHA1
8337da8c05c1d3951a5270d4cb4b5a414215f741
-
SHA256
86cd6b87e4ade0b8e0d440a956644837d4ced2552ea0d7890ef70df61d686c8f
-
SHA512
658881f895e253b1b8e8c94ab9c71adf00e0a3fd6794033e9201bde0d1a51e4aff10665ab7f9a2e7a66810bacb0cf8090caf465312d59e7fde52e27ff74e7fad
-
SSDEEP
24576:iyAJGBbFcso4QzQEqUhNMaGMdoOTt8cPMDZ7ITRu:JvBbF/o4QzEUhN2upTdMa
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-