General
-
Target
81c5039c3ca3f2e074775f7472d38f0c.exe
-
Size
1MB
-
Sample
230327-c9aq7sdd2x
-
MD5
81c5039c3ca3f2e074775f7472d38f0c
-
SHA1
a43ff8435a22f2deeaa8cfdc3c9ab504900b2a65
-
SHA256
d68d2c2c9fcac54a31eb59bad72fc8d7c48d5bcdb39b17cec886e018936165b7
-
SHA512
f00a07435214133024c7d6c919868e5043a0e00f6de85b465e36576b55ff4f26fba24abdc6218bea005787e27502826e8644649b0b6bd795cb939c80eb4c0c0c
-
SSDEEP
24576:Cy4u2oy31+nhZacOFa9eJrzhMWI6wnOW3hr/SY9Qbm//JqNd:pJ2oU1+6a9eJrNJxuOW3tSY2bC/J8
Static task
static1
Behavioral task
behavioral1
Sample
81c5039c3ca3f2e074775f7472d38f0c.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
fort
193.233.20.33:4125
-
auth_value
5ea5673154a804d8c80f565f7276f720
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Targets
-
-
Target
81c5039c3ca3f2e074775f7472d38f0c.exe
-
Size
1MB
-
MD5
81c5039c3ca3f2e074775f7472d38f0c
-
SHA1
a43ff8435a22f2deeaa8cfdc3c9ab504900b2a65
-
SHA256
d68d2c2c9fcac54a31eb59bad72fc8d7c48d5bcdb39b17cec886e018936165b7
-
SHA512
f00a07435214133024c7d6c919868e5043a0e00f6de85b465e36576b55ff4f26fba24abdc6218bea005787e27502826e8644649b0b6bd795cb939c80eb4c0c0c
-
SSDEEP
24576:Cy4u2oy31+nhZacOFa9eJrzhMWI6wnOW3hr/SY9Qbm//JqNd:pJ2oU1+6a9eJrNJxuOW3tSY2bC/J8
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-