General
-
Target
0x00090000000122fe-1071.dat
-
Size
236KB
-
Sample
230330-hf1cnacg5s
-
MD5
c5ad51ae7ec23116acfae244be5babd9
-
SHA1
f647d0c1a6df223ac59ea4e234ce756d6767eb66
-
SHA256
82c5b91b2761765265d57c79aa4c47fbcc18205614524ca610b95b8003d6d661
-
SHA512
5b735f36398559493f1f4c803539acd3e0c356fc5800935888e5c09dd757071fe36dafb6e11134c1051877d6e3eab2bcc4009d3b6f72681b5fce264c9609537f
-
SSDEEP
3072:N2gKdS0PkjvF5fHdjdyhRGc6zMBdSkbcaKhSdctuVi1VWQO3eIb1NcaWVJ5L:A9d78jt5fHbyhRFMMBd/ySMuViNSc39
Behavioral task
behavioral1
Sample
0x00090000000122fe-1071.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Extracted
redline
66.42.108.195:40499
-
auth_value
f93019ca42e7f9440be3a7ee1ebc636d
Extracted
redline
anhthe007
199.115.193.116:11300
-
auth_value
99c4662d697e1c7cb2fd84190b835994
Extracted
aurora
212.87.204.93:8081
Targets
-
-
Target
0x00090000000122fe-1071.dat
-
Size
236KB
-
MD5
c5ad51ae7ec23116acfae244be5babd9
-
SHA1
f647d0c1a6df223ac59ea4e234ce756d6767eb66
-
SHA256
82c5b91b2761765265d57c79aa4c47fbcc18205614524ca610b95b8003d6d661
-
SHA512
5b735f36398559493f1f4c803539acd3e0c356fc5800935888e5c09dd757071fe36dafb6e11134c1051877d6e3eab2bcc4009d3b6f72681b5fce264c9609537f
-
SSDEEP
3072:N2gKdS0PkjvF5fHdjdyhRGc6zMBdSkbcaKhSdctuVi1VWQO3eIb1NcaWVJ5L:A9d78jt5fHbyhRFMMBd/ySMuViNSc39
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-