General
-
Target
bd8fb184b3ca9efe5c59ed36c6b12907024c20a35b01f4290f4c73ca7c7a7d4f
-
Size
1.0MB
-
Sample
230326-2tqj6acd5s
-
MD5
f05a5295798a1ded08607d50e7494c96
-
SHA1
7f357ba584a13497c64ed48033796ccc649f5e69
-
SHA256
bd8fb184b3ca9efe5c59ed36c6b12907024c20a35b01f4290f4c73ca7c7a7d4f
-
SHA512
5d13f87221e00586b7cb517e0fc0c363ffe3f7ee03ad774dc140888afe65e40e424f94d9fbf4190204164786e62d3f71a55a5fccaa50310d8553cbf2a83d5247
-
SSDEEP
12288:oMrgy90UbUjCiKyuRQiWRHgvt+DU9hGVnqX/0A4dNkOBaN1wclxnH/KgF0uS/ckb:oynmARYRHF8sLdNDa1VPnSgF0uSAYPf
Static task
static1
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
fort
193.233.20.33:4125
-
auth_value
5ea5673154a804d8c80f565f7276f720
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Targets
-
-
Target
bd8fb184b3ca9efe5c59ed36c6b12907024c20a35b01f4290f4c73ca7c7a7d4f
-
Size
1.0MB
-
MD5
f05a5295798a1ded08607d50e7494c96
-
SHA1
7f357ba584a13497c64ed48033796ccc649f5e69
-
SHA256
bd8fb184b3ca9efe5c59ed36c6b12907024c20a35b01f4290f4c73ca7c7a7d4f
-
SHA512
5d13f87221e00586b7cb517e0fc0c363ffe3f7ee03ad774dc140888afe65e40e424f94d9fbf4190204164786e62d3f71a55a5fccaa50310d8553cbf2a83d5247
-
SSDEEP
12288:oMrgy90UbUjCiKyuRQiWRHgvt+DU9hGVnqX/0A4dNkOBaN1wclxnH/KgF0uS/ckb:oynmARYRHF8sLdNDa1VPnSgF0uSAYPf
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-