General
-
Target
fc681819662e371ec413e1a0a7ff564c0e38cb7bd6b0120e1652f4a2909fd563.bin
-
Size
1.5MB
-
Sample
230507-kshdqacd99
-
MD5
47a21765863aa9b2bfc927a327a85b8c
-
SHA1
677e72994b10249d7315fd8b3b3cff5a55f84117
-
SHA256
fc681819662e371ec413e1a0a7ff564c0e38cb7bd6b0120e1652f4a2909fd563
-
SHA512
a6a403c584abf849cd7f2b2286f8269dc74ad18840f59b277071a8e7d8133e743f2b7538c3c23871927247c67e839f096bdeea6619d2576678e1ccff39e15397
-
SSDEEP
24576:AyqLaN/EYmTnSEF0/REDoPWQLVZKsy2660Z//2dnQGMRnr6560ss/S:HJYsRUoeWAsy/d/eJtSIIs/
Static task
static1
Behavioral task
behavioral1
Sample
fc681819662e371ec413e1a0a7ff564c0e38cb7bd6b0120e1652f4a2909fd563.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fc681819662e371ec413e1a0a7ff564c0e38cb7bd6b0120e1652f4a2909fd563.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Targets
-
-
Target
fc681819662e371ec413e1a0a7ff564c0e38cb7bd6b0120e1652f4a2909fd563.bin
-
Size
1.5MB
-
MD5
47a21765863aa9b2bfc927a327a85b8c
-
SHA1
677e72994b10249d7315fd8b3b3cff5a55f84117
-
SHA256
fc681819662e371ec413e1a0a7ff564c0e38cb7bd6b0120e1652f4a2909fd563
-
SHA512
a6a403c584abf849cd7f2b2286f8269dc74ad18840f59b277071a8e7d8133e743f2b7538c3c23871927247c67e839f096bdeea6619d2576678e1ccff39e15397
-
SSDEEP
24576:AyqLaN/EYmTnSEF0/REDoPWQLVZKsy2660Z//2dnQGMRnr6560ss/S:HJYsRUoeWAsy/d/eJtSIIs/
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-