General
-
Target
d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130
-
Size
1.0MB
-
Sample
230326-d12zrshc9w
-
MD5
5d8b8c415dd1bbca33711a5b6d5d8744
-
SHA1
7491f732aa77e1b06122ef6ba59d81ada4791705
-
SHA256
d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130
-
SHA512
265068f5cd59314c2e74a86465c6fd87b0b7376ae96672c6fdc7fa8581a3d60e0906470c18915847962ff24e5621b56ed0dfae3bb6b857bff495e8acf115f9e2
-
SSDEEP
24576:qy+cEcg8Ub+5l1ZzXY/PZAbcfnrVgcbSjxbf3u:x+Ugvevo/+b2nhgccxT
Static task
static1
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
netu
193.233.20.32:4125
-
auth_value
9641925ae487005582b5cf30476dd305
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
ngan003
199.115.193.116:11300
-
auth_value
b500a5cf0cb429e32a81c6ddcd8d4545
Targets
-
-
Target
d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130
-
Size
1.0MB
-
MD5
5d8b8c415dd1bbca33711a5b6d5d8744
-
SHA1
7491f732aa77e1b06122ef6ba59d81ada4791705
-
SHA256
d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130
-
SHA512
265068f5cd59314c2e74a86465c6fd87b0b7376ae96672c6fdc7fa8581a3d60e0906470c18915847962ff24e5621b56ed0dfae3bb6b857bff495e8acf115f9e2
-
SSDEEP
24576:qy+cEcg8Ub+5l1ZzXY/PZAbcfnrVgcbSjxbf3u:x+Ugvevo/+b2nhgccxT
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-