General
-
Target
5e3330f0743827b34b76d55266feb2ce.bin
-
Size
550KB
-
Sample
230613-bn16laec98
-
MD5
f4d42d2b86ae9cc466b0325c70ab262b
-
SHA1
e5df8c6073d00e3cfa5e3b7c16185ae365e21b24
-
SHA256
77e892c3b19ced9ed8023a115a8c3e37ec0c3725008c152e1ea8080b340ef16a
-
SHA512
977f4e9c9045515a3e6a39bc57a70db3e467c052c5a7b092d51e48ee74fd05f448960a7311984cce32ddced20465ab99ed7ab34aef6bd0368725f5cd93014b7d
-
SSDEEP
12288:fQDtbLOQaeE+sMUm2I2Tkw7JjA7m++EhMotsyoRHUDV8/P2tBJbGbb+1wvZ9:fQBLOQae0Y2I2tJ2m++hotsyKISn2tfY
Static task
static1
Behavioral task
behavioral1
Sample
b012e928287eba5de20415c534ca1250349ded0f5ac77f8ccb1f28aa62af4766.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
dast
83.97.73.129:19068
-
auth_value
17d71bf1a3f93284f5848e00b0dd8222
Extracted
amadey
3.83
77.91.68.30/music/rock/index.php
Extracted
redline
crazy
83.97.73.129:19068
-
auth_value
66bc4d9682ea090eef64a299ece12fdd
Extracted
redline
dare
83.97.73.129:19068
-
auth_value
cdee8b76b5a70827d5d5e110218c7d2f
Extracted
redline
droid
83.97.73.129:19068
-
auth_value
4e534d26d67e90669e9843dbbfac4c52
Targets
-
-
Target
b012e928287eba5de20415c534ca1250349ded0f5ac77f8ccb1f28aa62af4766.exe
-
Size
594KB
-
MD5
5e3330f0743827b34b76d55266feb2ce
-
SHA1
48f0ddc136d4035b4f0ad6d214ccb113157e3ffe
-
SHA256
b012e928287eba5de20415c534ca1250349ded0f5ac77f8ccb1f28aa62af4766
-
SHA512
14fd948a2a32e75d7389c718a2047a75a9a35dfdfde37c67512c346e4943e937830088bcf80211e3a2832afb7ca1711e2f0c4128c9a4c537cd7eca1ede90cde7
-
SSDEEP
12288:CMrFy90asDkdDMfCfZQQqrz2aCsO+bMeRAdDoD5qjHKTBdsB2W:3yiD7CfZkzJZO+46M0WHKLW
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-