General
-
Target
c05fa38aaf010516cc3cb3f6f6afb7c90142bf3493dc0.exe
-
Size
989KB
-
Sample
230330-g928nscg2z
-
MD5
3421998c54dfff6ff4104adbc1309e3f
-
SHA1
9480c29ff2a0e55d5b7dd1f091fd0dc67fd1eb0e
-
SHA256
c05fa38aaf010516cc3cb3f6f6afb7c90142bf3493dc030adbd5473377d10f67
-
SHA512
636df82e3426a2cab6da3ddedbde67787931d5156a21af9c0da487b3ce0495fbebe11dddaeb3fea283c0aa6fd5ed18963072e930f6e77c8fe24adfb33cd72e9a
-
SSDEEP
24576:LyJuLinih+J8fb/Vm3603FtdN7j/YAVaeWckk:+wLinih+Jp6MFViZck
Static task
static1
Behavioral task
behavioral1
Sample
c05fa38aaf010516cc3cb3f6f6afb7c90142bf3493dc0.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
66.42.108.195:40499
-
auth_value
f93019ca42e7f9440be3a7ee1ebc636d
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
legi
176.113.115.145:4125
-
auth_value
a8baa360c57439b7cfeb1dc01ff2a466
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Extracted
redline
anhthe007
199.115.193.116:11300
-
auth_value
99c4662d697e1c7cb2fd84190b835994
Extracted
aurora
212.87.204.93:8081
Targets
-
-
Target
c05fa38aaf010516cc3cb3f6f6afb7c90142bf3493dc0.exe
-
Size
989KB
-
MD5
3421998c54dfff6ff4104adbc1309e3f
-
SHA1
9480c29ff2a0e55d5b7dd1f091fd0dc67fd1eb0e
-
SHA256
c05fa38aaf010516cc3cb3f6f6afb7c90142bf3493dc030adbd5473377d10f67
-
SHA512
636df82e3426a2cab6da3ddedbde67787931d5156a21af9c0da487b3ce0495fbebe11dddaeb3fea283c0aa6fd5ed18963072e930f6e77c8fe24adfb33cd72e9a
-
SSDEEP
24576:LyJuLinih+J8fb/Vm3603FtdN7j/YAVaeWckk:+wLinih+Jp6MFViZck
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-