General
-
Target
16479c603d22a4dad9b49b38691fdac46cd46981a1561affd76577ad8c32615f
-
Size
1.5MB
-
Sample
230506-3fk8ysad61
-
MD5
8a22b70f14a4f49b66f2dbfc87ace964
-
SHA1
60f505115b406d4e0720e2d0edf32259afa5a880
-
SHA256
16479c603d22a4dad9b49b38691fdac46cd46981a1561affd76577ad8c32615f
-
SHA512
f5321d8b51e63720f067effdc8c6218da713bb9f11726472e24fb06a8543e020df623fa5d59799a65bd77f151f5171054a0bb3bb7bd38faed6498e970f17f9f2
-
SSDEEP
24576:QysJ/ZPObt3GcORFYlrEPXDtLNsKi2AtIaQKzYpfVgJ7z8N4Q1d6qK1eC6+pLQsp:XsVZPOB3GcOrRPzthqnIaQ7p9QhQuqKY
Static task
static1
Behavioral task
behavioral1
Sample
16479c603d22a4dad9b49b38691fdac46cd46981a1561affd76577ad8c32615f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
16479c603d22a4dad9b49b38691fdac46cd46981a1561affd76577ad8c32615f.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Targets
-
-
Target
16479c603d22a4dad9b49b38691fdac46cd46981a1561affd76577ad8c32615f
-
Size
1.5MB
-
MD5
8a22b70f14a4f49b66f2dbfc87ace964
-
SHA1
60f505115b406d4e0720e2d0edf32259afa5a880
-
SHA256
16479c603d22a4dad9b49b38691fdac46cd46981a1561affd76577ad8c32615f
-
SHA512
f5321d8b51e63720f067effdc8c6218da713bb9f11726472e24fb06a8543e020df623fa5d59799a65bd77f151f5171054a0bb3bb7bd38faed6498e970f17f9f2
-
SSDEEP
24576:QysJ/ZPObt3GcORFYlrEPXDtLNsKi2AtIaQKzYpfVgJ7z8N4Q1d6qK1eC6+pLQsp:XsVZPOB3GcOrRPzthqnIaQ7p9QhQuqKY
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-