General
-
Target
ffa96e40c3958cd777744904cb54a155e6758c00ed5f33d2d922b6ec1232cddb
-
Size
1.4MB
-
Sample
230505-zf8sgadh43
-
MD5
273330d22e3d56be8a8824cd86442c5c
-
SHA1
592a48b56097d0aae86545c474519d481ffa27d9
-
SHA256
ffa96e40c3958cd777744904cb54a155e6758c00ed5f33d2d922b6ec1232cddb
-
SHA512
3c8d5156a632d36dfccdb77cb7f3bef3911e7b1e4e1a9775c3653ff8b788cb4b8b89c06dbb7e9fcaf4eb2534e008a6e9d9860122ea23cf648550be16e3b07a35
-
SSDEEP
24576:dyABWYdBeo9R9USkRVsD5d5so5Xnkgz6VY5YGPtSp3Zs0f54RK/dpx13P1Fy15aj:4AEan7Hd2M3eqYf3SO4y13NwnP
Malware Config
Extracted
redline
mask
217.196.96.56:4138
-
auth_value
31aef25be0febb8e491794ef7f502c50
Extracted
redline
boom
217.196.96.56:4138
-
auth_value
1ce6aebe15bac07a7bc88b114bc49335
Targets
-
-
Target
ffa96e40c3958cd777744904cb54a155e6758c00ed5f33d2d922b6ec1232cddb
-
Size
1.4MB
-
MD5
273330d22e3d56be8a8824cd86442c5c
-
SHA1
592a48b56097d0aae86545c474519d481ffa27d9
-
SHA256
ffa96e40c3958cd777744904cb54a155e6758c00ed5f33d2d922b6ec1232cddb
-
SHA512
3c8d5156a632d36dfccdb77cb7f3bef3911e7b1e4e1a9775c3653ff8b788cb4b8b89c06dbb7e9fcaf4eb2534e008a6e9d9860122ea23cf648550be16e3b07a35
-
SSDEEP
24576:dyABWYdBeo9R9USkRVsD5d5so5Xnkgz6VY5YGPtSp3Zs0f54RK/dpx13P1Fy15aj:4AEan7Hd2M3eqYf3SO4y13NwnP
Score10/10-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-