General
-
Target
62934b71f187d8cdc8b1097be05fef85.bin
-
Size
1014KB
-
Sample
230605-ndv8tagf6z
-
MD5
e10fb5c5a41ee7c7ef076387e6f5bf86
-
SHA1
44f1cd83c6bfd9bbb0e8672ec2f545962100398b
-
SHA256
1aadaca50782666a825179ff138bdda1d7a30b61121c35cc4bc066c4ea6ea4b6
-
SHA512
7473e2100d7401e43566a9985d041a1e2023ea3da370610fa2622c73784861642e6deff2da9fb5a9020f48c1a7d638be602a4fdf7283e1bb8f2898b9ab89807a
-
SSDEEP
24576:r25ohKNWiLVqvngkhY3BkhaFclocrON7KbI2XqSv830gaDSeEoL2T7biIR7EuFGb:r25oO5Viu3BkovcCJKbI6qE80gpoiT7y
Static task
static1
Behavioral task
behavioral1
Sample
06ea1faba79785b769a669064e464578f30330d81684beb1367a3f5399351e28.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
06ea1faba79785b769a669064e464578f30330d81684beb1367a3f5399351e28.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
redline
lupa
83.97.73.126:19046
-
auth_value
6a764aa41830c77712442516d143bc9c
Extracted
redline
metro
83.97.73.126:19046
-
auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a
Targets
-
-
Target
06ea1faba79785b769a669064e464578f30330d81684beb1367a3f5399351e28.exe
-
Size
1.0MB
-
MD5
62934b71f187d8cdc8b1097be05fef85
-
SHA1
16568ce41d8283226a9d37388bfab26ef92fafbc
-
SHA256
06ea1faba79785b769a669064e464578f30330d81684beb1367a3f5399351e28
-
SHA512
30ded102ce4ce12dfc903eefa0d459b15d88d774d1759e60a62d755466126624e676806b1c425de46e924ac0a38240dfe730b7355b16299c01f4a894ac2ea501
-
SSDEEP
12288:NMrGy90xSshfzi9WnXNthY474jr45EQWfZia+i1Jam3rI8HArJH7U0fHT2hTQfU:vy72zi9W9te47o45OiadJD7IKAdHjrU
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-