General
-
Target
74de6a06696c18ba946b6a155886c6e9.bin
-
Size
970KB
-
Sample
230326-bvyztafa78
-
MD5
a40f9e133cb6a86c81828aeaf8fd76da
-
SHA1
b2cc2a271099e2943af2dcd06c649325baf1f055
-
SHA256
7b910ba2baeceb1e670d8d4524e13c376cbbd781af1362c0fe1568aba8aabe58
-
SHA512
54b5c07c2d84157f14bbd253449074a0e9ab01e1368cd78c7babe8b7f7df8b21073c28f102966399649d408b9b9069867872c3226b535a61861fa03e361079e6
-
SSDEEP
12288:DSMLDimJ1HvQznL7nHxW7Hg8ujQJ+m1PwjJmoheu1s+C4/LLflG1ZGNJ4Zbyz/Uj:D5DFHvYL7yX8SWmCb44/wcyrb/h
Static task
static1
Behavioral task
behavioral1
Sample
01a503d1dd46bbb4e8f160d957dcc4ad008d262c641b3dc63da3066f2002c8d3.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lida
193.233.20.32:4125
-
auth_value
24052aa2e9b85984a98d80cf08623e8d
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)
151.80.89.234:19388
-
auth_value
56af49c3278d982f9a41ef2abb7c4d09
Extracted
redline
ngan003
199.115.193.116:11300
-
auth_value
b500a5cf0cb429e32a81c6ddcd8d4545
Targets
-
-
Target
01a503d1dd46bbb4e8f160d957dcc4ad008d262c641b3dc63da3066f2002c8d3.exe
-
Size
1013KB
-
MD5
74de6a06696c18ba946b6a155886c6e9
-
SHA1
63f0c72d0780a112a76f7efeae5429f6a6548085
-
SHA256
01a503d1dd46bbb4e8f160d957dcc4ad008d262c641b3dc63da3066f2002c8d3
-
SHA512
64aad628c86e2c6b90e4a3c3b736b5cee8c2b7475826209079c0bdc4be86fedd535e4b78e6ba95de25c2043c224ba404266f733f592a9c6c0060ef178ee1791d
-
SSDEEP
24576:Yy5JeDW7G30Wn9i/vZNMYsybjOKpXtWAHE5Pnd3jZn32CZjf:f+qBWnc/xNJxbKwLk5PndzR32C
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-