General
-
Target
97587c0b6c362a7b208cb2aaabcf3de799774fb0e0eacb0fc95ea899c07bc4a3
-
Size
480KB
-
Sample
230505-xaelbsgc2z
-
MD5
2026cbf23fa7ee45688104da852c683b
-
SHA1
9b3313e3a896675320e4a3c905b4d31a457c9f50
-
SHA256
97587c0b6c362a7b208cb2aaabcf3de799774fb0e0eacb0fc95ea899c07bc4a3
-
SHA512
a3f325f1393dc3bf75913a7164a9597f6845f3d563f7baac0a3017a4d9f386dee24112015dd8efae37cf64c9b8cb4701490e1af7e9120707b9076dc09807d0e6
-
SSDEEP
12288:wMrAy90Sv9EE3ovFDM8qDbvFfwr5R/ZQ0:gyZZCDJqFwFRy0
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Targets
-
-
Target
97587c0b6c362a7b208cb2aaabcf3de799774fb0e0eacb0fc95ea899c07bc4a3
-
Size
480KB
-
MD5
2026cbf23fa7ee45688104da852c683b
-
SHA1
9b3313e3a896675320e4a3c905b4d31a457c9f50
-
SHA256
97587c0b6c362a7b208cb2aaabcf3de799774fb0e0eacb0fc95ea899c07bc4a3
-
SHA512
a3f325f1393dc3bf75913a7164a9597f6845f3d563f7baac0a3017a4d9f386dee24112015dd8efae37cf64c9b8cb4701490e1af7e9120707b9076dc09807d0e6
-
SSDEEP
12288:wMrAy90Sv9EE3ovFDM8qDbvFfwr5R/ZQ0:gyZZCDJqFwFRy0
Score10/10-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-