General
-
Target
3aae226011fe701d80b6b81e4f4e1a30355c7f37bbc43bdc6f4badf2b2f7f03e.bin
-
Size
1.4MB
-
Sample
230506-z9m3vsfh46
-
MD5
96bc683f638c92fb6da6ce395d9a191f
-
SHA1
04d237299fab981c809d110259fe4e4dad36292a
-
SHA256
3aae226011fe701d80b6b81e4f4e1a30355c7f37bbc43bdc6f4badf2b2f7f03e
-
SHA512
bfb6b84a67494db1bd3016bd6ab16394057398bbd310f2331ad4cbc2dedcd06719dd67a7470c10f3c7eb22df040994ae7bcfd8553094a0183d690c526eadd248
-
SSDEEP
24576:OyCf61BwWrklP5ndz5Ft56Ml0GzgralNKF3HYMyXWnzcUEv5B+9DA:dpklP5dz7tYM6aE3YMd5W+9
Static task
static1
Behavioral task
behavioral1
Sample
3aae226011fe701d80b6b81e4f4e1a30355c7f37bbc43bdc6f4badf2b2f7f03e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3aae226011fe701d80b6b81e4f4e1a30355c7f37bbc43bdc6f4badf2b2f7f03e.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Targets
-
-
Target
3aae226011fe701d80b6b81e4f4e1a30355c7f37bbc43bdc6f4badf2b2f7f03e.bin
-
Size
1.4MB
-
MD5
96bc683f638c92fb6da6ce395d9a191f
-
SHA1
04d237299fab981c809d110259fe4e4dad36292a
-
SHA256
3aae226011fe701d80b6b81e4f4e1a30355c7f37bbc43bdc6f4badf2b2f7f03e
-
SHA512
bfb6b84a67494db1bd3016bd6ab16394057398bbd310f2331ad4cbc2dedcd06719dd67a7470c10f3c7eb22df040994ae7bcfd8553094a0183d690c526eadd248
-
SSDEEP
24576:OyCf61BwWrklP5ndz5Ft56Ml0GzgralNKF3HYMyXWnzcUEv5B+9DA:dpklP5dz7tYM6aE3YMd5W+9
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-