General
-
Target
7c7d84dafc9c486bcb988a5449e3bdc0c94f8c3ad1716037b1d4fd3d8b396ca4
-
Size
1001KB
-
Sample
230331-yy8dzsdb26
-
MD5
1800d9d60a293388cc8766cda20cdfec
-
SHA1
4c2972fe0be7c60f4d7dbf86a087bbe183831e1e
-
SHA256
7c7d84dafc9c486bcb988a5449e3bdc0c94f8c3ad1716037b1d4fd3d8b396ca4
-
SHA512
48d0a40c5f69dc42a0cf071b4a89d25642fc53f5d4953842cc4369fd743ec42e06f7481151a54290a2b8e64f85eb739985c19624335ad660a022d89af52e0ad7
-
SSDEEP
12288:3MrIy902rOX4Fw0jwwtNTrJH//eF+TMuYlDqRWgZrnF5tKDbezWOt9XPCX2RWRPo:DyvnW0h/3JL9+m8qF4blOtdWRVfW
Static task
static1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Targets
-
-
Target
7c7d84dafc9c486bcb988a5449e3bdc0c94f8c3ad1716037b1d4fd3d8b396ca4
-
Size
1001KB
-
MD5
1800d9d60a293388cc8766cda20cdfec
-
SHA1
4c2972fe0be7c60f4d7dbf86a087bbe183831e1e
-
SHA256
7c7d84dafc9c486bcb988a5449e3bdc0c94f8c3ad1716037b1d4fd3d8b396ca4
-
SHA512
48d0a40c5f69dc42a0cf071b4a89d25642fc53f5d4953842cc4369fd743ec42e06f7481151a54290a2b8e64f85eb739985c19624335ad660a022d89af52e0ad7
-
SSDEEP
12288:3MrIy902rOX4Fw0jwwtNTrJH//eF+TMuYlDqRWgZrnF5tKDbezWOt9XPCX2RWRPo:DyvnW0h/3JL9+m8qF4blOtdWRVfW
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-