General
-
Target
4c0538b1dd5b11c720addc22ff90bac5064513409d9bbb0ce65f4bcbd0c2193a
-
Size
1.0MB
-
Sample
230326-arfhmagh2y
-
MD5
bf44c7fa05df59caa122460a7964dfcf
-
SHA1
2e6b40bce7a52c845a7395fd1d930d12e76e688d
-
SHA256
4c0538b1dd5b11c720addc22ff90bac5064513409d9bbb0ce65f4bcbd0c2193a
-
SHA512
b49280d32ed19b8293f44b722db952c41a6112e0987592e67ad36170f45ee9481a9a9e2237bf6cc82f6f621e4637076478777feaaf560f391b2de8b81537ae74
-
SSDEEP
24576:byVSG1ahw4/Rb3dAV9o6C/9bZ5tuWJko2DqV1QOb20qD/:OwG0f/R5Z7vOo2OV1vbgD
Static task
static1
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
netu
193.233.20.32:4125
-
auth_value
9641925ae487005582b5cf30476dd305
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Targets
-
-
Target
4c0538b1dd5b11c720addc22ff90bac5064513409d9bbb0ce65f4bcbd0c2193a
-
Size
1.0MB
-
MD5
bf44c7fa05df59caa122460a7964dfcf
-
SHA1
2e6b40bce7a52c845a7395fd1d930d12e76e688d
-
SHA256
4c0538b1dd5b11c720addc22ff90bac5064513409d9bbb0ce65f4bcbd0c2193a
-
SHA512
b49280d32ed19b8293f44b722db952c41a6112e0987592e67ad36170f45ee9481a9a9e2237bf6cc82f6f621e4637076478777feaaf560f391b2de8b81537ae74
-
SSDEEP
24576:byVSG1ahw4/Rb3dAV9o6C/9bZ5tuWJko2DqV1QOb20qD/:OwG0f/R5Z7vOo2OV1vbgD
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-