General
-
Target
0x0009000000012310-1070.dat
-
Size
236KB
-
Sample
230330-ksl2xabg94
-
MD5
4c92f02ab2803db43d3163f43ce0995a
-
SHA1
0850edb0502ac707c12d37ad1fa1f4fd46be2ff3
-
SHA256
41683d8b8c2803d449855641f994f9619aec6d22c4cc6910f37dd853e83fb8ad
-
SHA512
d514d6cb7fdfa62f4ca49481a14fee94ce2b1d77849586b7fb0373a91566151b08166fd1bbc7decf4bb69e83ed738fa76ac927bf21bf737305844cb949015b8c
-
SSDEEP
3072:N2gKdS0PkjvF5fHdjdyhRGc6zMBdSkbcaKhSdctuVi1VWQO3eIb1NcaWVJ5L:A9d78jt5fHbyhRFMMBd/ySMuViNSc39
Behavioral task
behavioral1
Sample
0x0009000000012310-1070.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Extracted
redline
66.42.108.195:40499
-
auth_value
f93019ca42e7f9440be3a7ee1ebc636d
Extracted
redline
anhthe007
199.115.193.116:11300
-
auth_value
99c4662d697e1c7cb2fd84190b835994
Extracted
aurora
212.87.204.93:8081
Targets
-
-
Target
0x0009000000012310-1070.dat
-
Size
236KB
-
MD5
4c92f02ab2803db43d3163f43ce0995a
-
SHA1
0850edb0502ac707c12d37ad1fa1f4fd46be2ff3
-
SHA256
41683d8b8c2803d449855641f994f9619aec6d22c4cc6910f37dd853e83fb8ad
-
SHA512
d514d6cb7fdfa62f4ca49481a14fee94ce2b1d77849586b7fb0373a91566151b08166fd1bbc7decf4bb69e83ed738fa76ac927bf21bf737305844cb949015b8c
-
SSDEEP
3072:N2gKdS0PkjvF5fHdjdyhRGc6zMBdSkbcaKhSdctuVi1VWQO3eIb1NcaWVJ5L:A9d78jt5fHbyhRFMMBd/ySMuViNSc39
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-