General
-
Target
13499eab406c0a48dcf39dda4aa38e19.bin
-
Size
714KB
-
Sample
230613-bcyakaec69
-
MD5
abd6d4ba000779e9db0765326b7c3c6c
-
SHA1
ff8b0e4db46b1ad675b6d76c47805e45e7eafc07
-
SHA256
a6a3216a9c020548c53f786ebd90be128225f164804e4b9773e2e00dab7d35d3
-
SHA512
b482604a4fb05b7c88fe81b41f63509d21c5299a8e15b986f59b6a3da42c325feb27af08c2d1e052e3acca24400df9d0bdfeb93c518999fcd99d9cbfbf121cff
-
SSDEEP
12288:mfUHqQm5w5Fr+niLXpWQN4kcqNSuGAzBLwC7/MbFVLwN/G3MOFulGPoh+ja6Kl:cUKQv5FrsWtcq9fzZ7/4V8xGolIjaf
Static task
static1
Behavioral task
behavioral1
Sample
74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
dast
83.97.73.129:19068
-
auth_value
17d71bf1a3f93284f5848e00b0dd8222
Extracted
amadey
3.83
77.91.68.30/music/rock/index.php
Extracted
redline
crazy
83.97.73.129:19068
-
auth_value
66bc4d9682ea090eef64a299ece12fdd
Extracted
redline
dare
83.97.73.129:19068
-
auth_value
cdee8b76b5a70827d5d5e110218c7d2f
Extracted
redline
droid
83.97.73.129:19068
-
auth_value
4e534d26d67e90669e9843dbbfac4c52
Targets
-
-
Target
74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958.exe
-
Size
758KB
-
MD5
13499eab406c0a48dcf39dda4aa38e19
-
SHA1
7bde52bbb83557923b367462cab76b484949c4fc
-
SHA256
74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958
-
SHA512
3fd55ffbce197423d3bd8e3f7e35ef31365a542404349a424626afcca1347176897a5def788fe912a3ec0aa35a069af5db8ce952cd414002a90e5e4d589ad4e0
-
SSDEEP
12288:kMrKy90Hsvj1Z520YjN4f0ggFgcZH2i1IlnBTKIyYjLXX/tLMpviwEFmTi33X6RR:OyTb1ZM0YjN4fAiU7IGIyWLXVAnEFmTV
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-