General
-
Target
a3bf44eff469f8002a323293372c325a5dc518f579012586f18005a5837406d8
-
Size
1012KB
-
Sample
230324-rkxxrsgh6y
-
MD5
576e4b3f01588090331488d31259c99f
-
SHA1
21095a66dd2b7e613abf65cc09b3247a254cc24a
-
SHA256
a3bf44eff469f8002a323293372c325a5dc518f579012586f18005a5837406d8
-
SHA512
0b9b1df9a7f275470ffb309751bab5890d3ec8b0061ff310d91e0a68414c198092aebd071bebdface922ddba9e147cb763ce893325b6c56f9042f752aadcc392
-
SSDEEP
24576:XyYgfxY/kGBhO1mwxblDuSfUhWClWlV3cQC8q:iYQYMacUwxg0IWlV3C8
Static task
static1
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lida
193.233.20.32:4125
-
auth_value
24052aa2e9b85984a98d80cf08623e8d
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
Anh123
199.115.193.116:11300
-
auth_value
db990971ec3911c24ea05eeccc2e1f60
Targets
-
-
Target
a3bf44eff469f8002a323293372c325a5dc518f579012586f18005a5837406d8
-
Size
1012KB
-
MD5
576e4b3f01588090331488d31259c99f
-
SHA1
21095a66dd2b7e613abf65cc09b3247a254cc24a
-
SHA256
a3bf44eff469f8002a323293372c325a5dc518f579012586f18005a5837406d8
-
SHA512
0b9b1df9a7f275470ffb309751bab5890d3ec8b0061ff310d91e0a68414c198092aebd071bebdface922ddba9e147cb763ce893325b6c56f9042f752aadcc392
-
SSDEEP
24576:XyYgfxY/kGBhO1mwxblDuSfUhWClWlV3cQC8q:iYQYMacUwxg0IWlV3C8
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-