General
-
Target
cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8
-
Size
1.0MB
-
Sample
230326-ab61mseg59
-
MD5
9758bdd830fc1aea92d4228da220be0b
-
SHA1
06467734d162bdb2e1dcd6155022d1bb509cb771
-
SHA256
cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8
-
SHA512
179b8d432ac5bdc3c9d37e60ef87782c3bfc35cc91076e0c58f1a3eb6a155dd657c6a12e544c8022abb3c6eb7a13923b9bcb7b8f0634726443179316ef46b03a
-
SSDEEP
24576:ry3o2aqxVnpMdZFq2mT6Zbmb3q/Wf6b9ci1pbispepP:e5xol3mT6ZAwWybKijWspe
Static task
static1
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
netu
193.233.20.32:4125
-
auth_value
9641925ae487005582b5cf30476dd305
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Targets
-
-
Target
cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8
-
Size
1.0MB
-
MD5
9758bdd830fc1aea92d4228da220be0b
-
SHA1
06467734d162bdb2e1dcd6155022d1bb509cb771
-
SHA256
cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8
-
SHA512
179b8d432ac5bdc3c9d37e60ef87782c3bfc35cc91076e0c58f1a3eb6a155dd657c6a12e544c8022abb3c6eb7a13923b9bcb7b8f0634726443179316ef46b03a
-
SSDEEP
24576:ry3o2aqxVnpMdZFq2mT6Zbmb3q/Wf6b9ci1pbispepP:e5xol3mT6ZAwWybKijWspe
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-