General
-
Target
tmp
-
Size
1.0MB
-
Sample
230328-w71pdsce63
-
MD5
621880d8e9bdf98018b4dc08d5d227b2
-
SHA1
77241bf2aa624ed6c9806b18c01e5258ea55ab0a
-
SHA256
4a6a242e1b10ae19a63b6a71cf3fbc2423b6c5ee4bb2244263fd178cfcbace8f
-
SHA512
26407110540c6740eb30a56185f6a7ada61c5dce0dace69dd3dd8fa23150ca8a3f90ff12c325318b780695a04e1e274654987fef9052480036ff5bca76bba280
-
SSDEEP
24576:jylxhjcFzSx0olaBdGrIdY9tURbTrlr40nMlu:2lxhc96vaHHdYkBp4O
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
66.42.108.195:40499
-
auth_value
f93019ca42e7f9440be3a7ee1ebc636d
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
duna
176.113.115.145:4125
-
auth_value
8879c60b4740ac2d7fb8831d4d3c396f
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Targets
-
-
Target
tmp
-
Size
1.0MB
-
MD5
621880d8e9bdf98018b4dc08d5d227b2
-
SHA1
77241bf2aa624ed6c9806b18c01e5258ea55ab0a
-
SHA256
4a6a242e1b10ae19a63b6a71cf3fbc2423b6c5ee4bb2244263fd178cfcbace8f
-
SHA512
26407110540c6740eb30a56185f6a7ada61c5dce0dace69dd3dd8fa23150ca8a3f90ff12c325318b780695a04e1e274654987fef9052480036ff5bca76bba280
-
SSDEEP
24576:jylxhjcFzSx0olaBdGrIdY9tURbTrlr40nMlu:2lxhc96vaHHdYkBp4O
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-