General
-
Target
d539b20ba21090a325b74ba95d3c517a.exe
-
Size
1.1MB
-
Sample
230405-s1wv3sff74
-
MD5
d539b20ba21090a325b74ba95d3c517a
-
SHA1
3aa76b8c7cfe14ba388d5060d07252eb168e4a2e
-
SHA256
db5f8ac767385c72f311c050fd411b824a6b42b6b92872a4d9ef133747ed7da9
-
SHA512
cbc2a86a76731bf219c2b134ccdba944da44da7957dd2f7304c6fa13f2b6b6afb834e2cb6c49f2db7e5e3b5f28d637f97d345af09f50b1f4f35c7e0581de9feb
-
SSDEEP
24576:iy+1CG5q4PXX0LFvXo83mEI4lCFV2ZKoTv6hInFgGSm1y3mW:J+YG5q4cLFQ0mEI4CFKfTv6hInjim
Static task
static1
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
linos
77.91.124.145:4125
-
auth_value
85221849d0efabfea4d7563bb7454724
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Extracted
aurora
141.98.6.253:8081
Extracted
redline
Anh123
199.115.193.116:11300
-
auth_value
db990971ec3911c24ea05eeccc2e1f60
Extracted
redline
Pizdun
94.142.138.219:20936
-
auth_value
20a1f7fe6575c6613ee7cc5d3025af70
Extracted
xworm
-
install_file
SvcHostSC.exe
Extracted
marsstealer
Default
vooip5884.ddns.net/YUHI87PJM.php
Targets
-
-
Target
d539b20ba21090a325b74ba95d3c517a.exe
-
Size
1.1MB
-
MD5
d539b20ba21090a325b74ba95d3c517a
-
SHA1
3aa76b8c7cfe14ba388d5060d07252eb168e4a2e
-
SHA256
db5f8ac767385c72f311c050fd411b824a6b42b6b92872a4d9ef133747ed7da9
-
SHA512
cbc2a86a76731bf219c2b134ccdba944da44da7957dd2f7304c6fa13f2b6b6afb834e2cb6c49f2db7e5e3b5f28d637f97d345af09f50b1f4f35c7e0581de9feb
-
SSDEEP
24576:iy+1CG5q4PXX0LFvXo83mEI4lCFV2ZKoTv6hInFgGSm1y3mW:J+YG5q4cLFQ0mEI4CFKfTv6hInjim
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-