General
-
Target
f56b9f50b6ac84b63aecefb5419170b2f69b19c54c7023fe57357f514178c820
-
Size
778KB
-
Sample
230603-lyg6ksgg6y
-
MD5
c3cff9931951e87531afa6bfa2b7d03f
-
SHA1
ab98cde11b8b72fce18770e09f2a6b4aa5edd974
-
SHA256
f56b9f50b6ac84b63aecefb5419170b2f69b19c54c7023fe57357f514178c820
-
SHA512
5ce440e00178b0610d0de0c8ab2a6de0208f590136713678b96c92e462a6084861cdadaf228404c575166bd0e1c6f3b2dff2774d4110fb49ef4f9ffdfc7ea273
-
SSDEEP
12288:EMrby90vag2x6FheFRnd0+qOtGjUJfRdr1uNAM/CjQt9IVJivRz06MPalsig:/yAaL5Xd0NY31PM/wnPivq6Mcsd
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Extracted
redline
metro
83.97.73.126:19046
-
auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a
Targets
-
-
Target
f56b9f50b6ac84b63aecefb5419170b2f69b19c54c7023fe57357f514178c820
-
Size
778KB
-
MD5
c3cff9931951e87531afa6bfa2b7d03f
-
SHA1
ab98cde11b8b72fce18770e09f2a6b4aa5edd974
-
SHA256
f56b9f50b6ac84b63aecefb5419170b2f69b19c54c7023fe57357f514178c820
-
SHA512
5ce440e00178b0610d0de0c8ab2a6de0208f590136713678b96c92e462a6084861cdadaf228404c575166bd0e1c6f3b2dff2774d4110fb49ef4f9ffdfc7ea273
-
SSDEEP
12288:EMrby90vag2x6FheFRnd0+qOtGjUJfRdr1uNAM/CjQt9IVJivRz06MPalsig:/yAaL5Xd0NY31PM/wnPivq6Mcsd
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-