General
-
Target
624674655afa629fc13f57d22b61365c3c2f4ba19e6d75c0ece9d6060ff17feb.bin
-
Size
1.5MB
-
Sample
230506-148m2sdb6t
-
MD5
c7800a107b2dc2e9c2239edbb231a76d
-
SHA1
708288f539d1c3757fbec6ecdc38f6f86dbc3005
-
SHA256
624674655afa629fc13f57d22b61365c3c2f4ba19e6d75c0ece9d6060ff17feb
-
SHA512
e7fc451b4af7ae2e1cef22d8d88a9d814c7f97129feb031a2511521bc255e7768a5bda7a2cbdc1c34b6715a987d5b81c24175da6322092b89d406661ada80d15
-
SSDEEP
24576:fyq4dKniwanjI3qrw1tniVqB0qB7JuYXI0FJM+cXjLF6jI3cmknYFcaC:qVYUjI3wAtiQ0ilJM+Mj0nYFf
Static task
static1
Behavioral task
behavioral1
Sample
624674655afa629fc13f57d22b61365c3c2f4ba19e6d75c0ece9d6060ff17feb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
624674655afa629fc13f57d22b61365c3c2f4ba19e6d75c0ece9d6060ff17feb.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Targets
-
-
Target
624674655afa629fc13f57d22b61365c3c2f4ba19e6d75c0ece9d6060ff17feb.bin
-
Size
1.5MB
-
MD5
c7800a107b2dc2e9c2239edbb231a76d
-
SHA1
708288f539d1c3757fbec6ecdc38f6f86dbc3005
-
SHA256
624674655afa629fc13f57d22b61365c3c2f4ba19e6d75c0ece9d6060ff17feb
-
SHA512
e7fc451b4af7ae2e1cef22d8d88a9d814c7f97129feb031a2511521bc255e7768a5bda7a2cbdc1c34b6715a987d5b81c24175da6322092b89d406661ada80d15
-
SSDEEP
24576:fyq4dKniwanjI3qrw1tniVqB0qB7JuYXI0FJM+cXjLF6jI3cmknYFcaC:qVYUjI3wAtiQ0ilJM+Mj0nYFf
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-