General
-
Target
44951f929dfae499ef0239da62b82d3ff498d91adc9ef14a196db2aeb80900eb.bin
-
Size
1.5MB
-
Sample
230506-1gmr3agf94
-
MD5
1f6165e15c0614c730d1324f1c23fe28
-
SHA1
bd7c79c6c67a3c9273ef5e2700e05becdfb7fb54
-
SHA256
44951f929dfae499ef0239da62b82d3ff498d91adc9ef14a196db2aeb80900eb
-
SHA512
6f95f6d3ea50ab89d72059bc0de89aafa90e179d2fe8dbfdfdf5617a9f7faade1df25e186c5c4fdf6c3f5e4476c29f9f62457fe1780438e59c5895e1a287f1aa
-
SSDEEP
24576:jyh6ZX0fJ5da1G1KzogLtYpeioA3sc0Zx0KKtSUK1UbAsBG/4USfQ:2h6yHEcF6tIei0c0bJZk7G/4pf
Static task
static1
Behavioral task
behavioral1
Sample
44951f929dfae499ef0239da62b82d3ff498d91adc9ef14a196db2aeb80900eb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
44951f929dfae499ef0239da62b82d3ff498d91adc9ef14a196db2aeb80900eb.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Targets
-
-
Target
44951f929dfae499ef0239da62b82d3ff498d91adc9ef14a196db2aeb80900eb.bin
-
Size
1.5MB
-
MD5
1f6165e15c0614c730d1324f1c23fe28
-
SHA1
bd7c79c6c67a3c9273ef5e2700e05becdfb7fb54
-
SHA256
44951f929dfae499ef0239da62b82d3ff498d91adc9ef14a196db2aeb80900eb
-
SHA512
6f95f6d3ea50ab89d72059bc0de89aafa90e179d2fe8dbfdfdf5617a9f7faade1df25e186c5c4fdf6c3f5e4476c29f9f62457fe1780438e59c5895e1a287f1aa
-
SSDEEP
24576:jyh6ZX0fJ5da1G1KzogLtYpeioA3sc0Zx0KKtSUK1UbAsBG/4USfQ:2h6yHEcF6tIei0c0bJZk7G/4pf
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-