General
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
Family
redline
Botnet
maxi
C2
83.97.73.129:19068
Attributes
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Extracted
Family
redline
Botnet
sheron
C2
83.97.73.129:19068
Attributes
-
auth_value
2d067e7e2372227d3a03b335260112e9
Targets
-
-
Target
http://117.216.1.10:56251/i
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Patched UPX-packed file
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-