General
-
Target
309a505e8b17f1dc46fa2ed1a305eb0a028a6de7c60f8267e0769915b38d02a9
-
Size
1008KB
-
Sample
230403-fe56eaec3x
-
MD5
a7396fab3c4032b60e9bbf345d139349
-
SHA1
7048264429ef402a09de75035407aed311f20919
-
SHA256
309a505e8b17f1dc46fa2ed1a305eb0a028a6de7c60f8267e0769915b38d02a9
-
SHA512
867df71563b336c2eeba7205ed2b96b2c3ccb0651902dfe3cc1ab8d12ea9f5b11a086579d690841bf8491750adf914d7fb9f32e09fe0064b605ff0d731a5e0c5
-
SSDEEP
24576:DyzU2XWFuV0FAx6Z79x4tb1VApew2MGtlUadd:Wz3GFHTZ78LApKMGsa
Static task
static1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
link
176.113.115.145:4125
-
auth_value
77e4c7bc6fea5ae755b29e8aea8f7012
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Extracted
redline
Anh123
199.115.193.116:11300
-
auth_value
db990971ec3911c24ea05eeccc2e1f60
Extracted
aurora
141.98.6.253:8081
212.87.204.93:8081
Targets
-
-
Target
309a505e8b17f1dc46fa2ed1a305eb0a028a6de7c60f8267e0769915b38d02a9
-
Size
1008KB
-
MD5
a7396fab3c4032b60e9bbf345d139349
-
SHA1
7048264429ef402a09de75035407aed311f20919
-
SHA256
309a505e8b17f1dc46fa2ed1a305eb0a028a6de7c60f8267e0769915b38d02a9
-
SHA512
867df71563b336c2eeba7205ed2b96b2c3ccb0651902dfe3cc1ab8d12ea9f5b11a086579d690841bf8491750adf914d7fb9f32e09fe0064b605ff0d731a5e0c5
-
SSDEEP
24576:DyzU2XWFuV0FAx6Z79x4tb1VApew2MGtlUadd:Wz3GFHTZ78LApKMGsa
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-