General
-
Target
155919833797cd44c842cd9130dd9b55486da8f29b2bc81dc70775cfd15f27cc
-
Size
1.0MB
-
Sample
230325-a645jacd4w
-
MD5
5951334654a8769c74441424496f023b
-
SHA1
152056458b668e32e931f2068dca862faaa4b662
-
SHA256
155919833797cd44c842cd9130dd9b55486da8f29b2bc81dc70775cfd15f27cc
-
SHA512
008d103b22aedffc16926b1cb04c7550dca2cd013c4984ef0a66512339f4edb207df6dc6038a99a6e6e1c308985abb151b115219fa1f9252e5b751ef832acd13
-
SSDEEP
24576:wysikbY8Ay96QUpSSt3BqURvQL5249g0V+t:3sjY8z6zpftRhoG0V+
Static task
static1
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
rotik
193.233.20.32:4125
-
auth_value
74863478ae154e921eb729354d2bb4bd
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
whitedoc
81.161.229.143:45156
-
auth_value
2020d22aaa2ecafa1b12e00dfcffae03
Targets
-
-
Target
155919833797cd44c842cd9130dd9b55486da8f29b2bc81dc70775cfd15f27cc
-
Size
1.0MB
-
MD5
5951334654a8769c74441424496f023b
-
SHA1
152056458b668e32e931f2068dca862faaa4b662
-
SHA256
155919833797cd44c842cd9130dd9b55486da8f29b2bc81dc70775cfd15f27cc
-
SHA512
008d103b22aedffc16926b1cb04c7550dca2cd013c4984ef0a66512339f4edb207df6dc6038a99a6e6e1c308985abb151b115219fa1f9252e5b751ef832acd13
-
SSDEEP
24576:wysikbY8Ay96QUpSSt3BqURvQL5249g0V+t:3sjY8z6zpftRhoG0V+
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-