General
-
Target
499ba94acae43ff741267e826e5bc7266503b61654132160fee6bcbd58fd678f.bin
-
Size
1.5MB
-
Sample
230501-twf5hacf96
-
MD5
1d8f4a3ecb2b6ee48279ba5b7b2bd5b5
-
SHA1
24f467fbead51eb3efe9492e336f117b92d4b30c
-
SHA256
499ba94acae43ff741267e826e5bc7266503b61654132160fee6bcbd58fd678f
-
SHA512
9a4bdf29d599dd5d740a84b0011de697579b1ea8c754e071638e56389689dceaa06b1e3974690724074228187c86e6d8a7db12f6e5c96a858ded1e547bdb96fc
-
SSDEEP
24576:Fy2rj1AMbVcBvuSr5HKHkPxKt1nQ4hTDrM4s3zugH8Ei4TQj96MX8iJZZzcHKpd:gqpAMo2Sr5HKHkPAtFQ4hgjuw8E+96Xu
Static task
static1
Behavioral task
behavioral1
Sample
499ba94acae43ff741267e826e5bc7266503b61654132160fee6bcbd58fd678f.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Targets
-
-
Target
499ba94acae43ff741267e826e5bc7266503b61654132160fee6bcbd58fd678f.bin
-
Size
1.5MB
-
MD5
1d8f4a3ecb2b6ee48279ba5b7b2bd5b5
-
SHA1
24f467fbead51eb3efe9492e336f117b92d4b30c
-
SHA256
499ba94acae43ff741267e826e5bc7266503b61654132160fee6bcbd58fd678f
-
SHA512
9a4bdf29d599dd5d740a84b0011de697579b1ea8c754e071638e56389689dceaa06b1e3974690724074228187c86e6d8a7db12f6e5c96a858ded1e547bdb96fc
-
SSDEEP
24576:Fy2rj1AMbVcBvuSr5HKHkPxKt1nQ4hTDrM4s3zugH8Ei4TQj96MX8iJZZzcHKpd:gqpAMo2Sr5HKHkPAtFQ4hgjuw8E+96Xu
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-