General
-
Target
0e66ff401502920021b347fb998c8fd222f83f3a0f43579c89f3e53d3bd5d254
-
Size
1001KB
-
Sample
230331-yhrrasch68
-
MD5
e40c169b88af36494d50beda9fcd8960
-
SHA1
e55e9809ed4502c8c91f7243db2f12d7d7b9071c
-
SHA256
0e66ff401502920021b347fb998c8fd222f83f3a0f43579c89f3e53d3bd5d254
-
SHA512
51832533527b697bea5a139975cf3041cbe2fbcc5b30b7d2c332bc053696f8dc750467e913d2e42a909160c064a1cc65fc76422cece80d99053e4fccfcfa8168
-
SSDEEP
12288:CMrLy90OPZBBhDWzkG/0++p0sOh99ZeGGTtiuM5DkgUO+l1FYrEbdE2B1O6ZRtY4:VydPH2t+2sOH9oyohxbxb5B1jtYn4
Static task
static1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Targets
-
-
Target
0e66ff401502920021b347fb998c8fd222f83f3a0f43579c89f3e53d3bd5d254
-
Size
1001KB
-
MD5
e40c169b88af36494d50beda9fcd8960
-
SHA1
e55e9809ed4502c8c91f7243db2f12d7d7b9071c
-
SHA256
0e66ff401502920021b347fb998c8fd222f83f3a0f43579c89f3e53d3bd5d254
-
SHA512
51832533527b697bea5a139975cf3041cbe2fbcc5b30b7d2c332bc053696f8dc750467e913d2e42a909160c064a1cc65fc76422cece80d99053e4fccfcfa8168
-
SSDEEP
12288:CMrLy90OPZBBhDWzkG/0++p0sOh99ZeGGTtiuM5DkgUO+l1FYrEbdE2B1O6ZRtY4:VydPH2t+2sOH9oyohxbxb5B1jtYn4
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-