General
-
Target
9abb561a72a2bf2a308a3bc9e8da2d9a.exe
-
Size
1.0MB
-
Sample
230325-jzeqqsdh9y
-
MD5
9abb561a72a2bf2a308a3bc9e8da2d9a
-
SHA1
01e71e6f62fac90aa70bbe6a5ae7827fb1bf4cb3
-
SHA256
8ffb5949e5c7a640b509d6fd0127eeb2363b651669f553c3c64f23b9c2fdd330
-
SHA512
dce6e91a2def101dbb2a04dee54c5e6fbd20c6e02282f71a8c433d09a9becb3ec0fd920f296593a67f51937e009aff313c003d2bf3cd6e5e7983991830c5bd54
-
SSDEEP
12288:lMruy90Qn/L4oPoQsGwapkB3JqJEyNWZDb0MRpX0infM3i88VZie8qWtP2UfVVqq:byb/L4U0tSQ3JqEhH03EVoeBWdfVVqq
Static task
static1
Behavioral task
behavioral1
Sample
9abb561a72a2bf2a308a3bc9e8da2d9a.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lida
193.233.20.32:4125
-
auth_value
24052aa2e9b85984a98d80cf08623e8d
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Targets
-
-
Target
9abb561a72a2bf2a308a3bc9e8da2d9a.exe
-
Size
1.0MB
-
MD5
9abb561a72a2bf2a308a3bc9e8da2d9a
-
SHA1
01e71e6f62fac90aa70bbe6a5ae7827fb1bf4cb3
-
SHA256
8ffb5949e5c7a640b509d6fd0127eeb2363b651669f553c3c64f23b9c2fdd330
-
SHA512
dce6e91a2def101dbb2a04dee54c5e6fbd20c6e02282f71a8c433d09a9becb3ec0fd920f296593a67f51937e009aff313c003d2bf3cd6e5e7983991830c5bd54
-
SSDEEP
12288:lMruy90Qn/L4oPoQsGwapkB3JqJEyNWZDb0MRpX0infM3i88VZie8qWtP2UfVVqq:byb/L4U0tSQ3JqEhH03EVoeBWdfVVqq
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-