General
-
Target
a6c558f9f34beaa7b5f074c7b22a83c16926214dfe0b6428b0750fdacbefeb17
-
Size
1011KB
-
Sample
230324-rpd1fsfa67
-
MD5
617a06417655047b4443ed55b212a6b4
-
SHA1
55fe338a969212ddb478b955516a5c3b8f41cb88
-
SHA256
a6c558f9f34beaa7b5f074c7b22a83c16926214dfe0b6428b0750fdacbefeb17
-
SHA512
dfc3413cf13573f91b54d1a613db857d4a192b013234fb8aa3ba8876022d484162be4fced54ec4f130cd6a2df92e2ee54204951fc4ed98604dc55b0d1d5774bd
-
SSDEEP
24576:byC16CW9hm5m4itF64XN4ySpCDZ8dYS4jr6RM:OJbNxKuO
Static task
static1
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lida
193.233.20.32:4125
-
auth_value
24052aa2e9b85984a98d80cf08623e8d
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
Anh123
199.115.193.116:11300
-
auth_value
db990971ec3911c24ea05eeccc2e1f60
Targets
-
-
Target
a6c558f9f34beaa7b5f074c7b22a83c16926214dfe0b6428b0750fdacbefeb17
-
Size
1011KB
-
MD5
617a06417655047b4443ed55b212a6b4
-
SHA1
55fe338a969212ddb478b955516a5c3b8f41cb88
-
SHA256
a6c558f9f34beaa7b5f074c7b22a83c16926214dfe0b6428b0750fdacbefeb17
-
SHA512
dfc3413cf13573f91b54d1a613db857d4a192b013234fb8aa3ba8876022d484162be4fced54ec4f130cd6a2df92e2ee54204951fc4ed98604dc55b0d1d5774bd
-
SSDEEP
24576:byC16CW9hm5m4itF64XN4ySpCDZ8dYS4jr6RM:OJbNxKuO
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-