General
-
Target
3e5b2526887a6b5dca6e0e34c796ab77.exe
-
Size
1011KB
-
Sample
230324-pwr5jsgd6s
-
MD5
3e5b2526887a6b5dca6e0e34c796ab77
-
SHA1
e547cbda384dc752acdc16db087a849d54487786
-
SHA256
ec91b5c3178654b86496af10f17af63be1587c13a02f683107f7cec1ed7de0a0
-
SHA512
a69f804e561b15303123a8c99d3221176dcbfbf30d7e24cb6c11048f6843e2d4b114f735b7c0d84c8ffda3b0ab5718aa1a30d123e3e784946e51bdfc1620f4af
-
SSDEEP
24576:TyhrKaIO98YWzg/J04Y9qK0+z7uewXhsbgalp9FvGw:mVKw8YWzg/J0LMVhCg+HF
Static task
static1
Behavioral task
behavioral1
Sample
3e5b2526887a6b5dca6e0e34c796ab77.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lida
193.233.20.32:4125
-
auth_value
24052aa2e9b85984a98d80cf08623e8d
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
USA
65.108.152.34:37345
-
auth_value
01ecb56953469aaed8efad25c0f68a64
Extracted
aurora
94.142.138.215:8081
Targets
-
-
Target
3e5b2526887a6b5dca6e0e34c796ab77.exe
-
Size
1011KB
-
MD5
3e5b2526887a6b5dca6e0e34c796ab77
-
SHA1
e547cbda384dc752acdc16db087a849d54487786
-
SHA256
ec91b5c3178654b86496af10f17af63be1587c13a02f683107f7cec1ed7de0a0
-
SHA512
a69f804e561b15303123a8c99d3221176dcbfbf30d7e24cb6c11048f6843e2d4b114f735b7c0d84c8ffda3b0ab5718aa1a30d123e3e784946e51bdfc1620f4af
-
SSDEEP
24576:TyhrKaIO98YWzg/J04Y9qK0+z7uewXhsbgalp9FvGw:mVKw8YWzg/J0LMVhCg+HF
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-