General
-
Target
f19fa90ff55e27340dd39410e6dffd39.bin
-
Size
713KB
-
Sample
230613-cdg6eaed87
-
MD5
0ec8f6f0bd602696d12af8385f85fbf0
-
SHA1
4093f83d0064f2dbfd29958e33cdd7bb50acb3e3
-
SHA256
2e70b5eb079aaffe25a2bd6db16295afa27e73dc269a734f840e22bde1a9670a
-
SHA512
a7336258857132f4bdb114e9738fc6b1922974a0cdda72a8f9ccba4c9b0d9b356e149059a958dd1a936227ad626852687ae684d39574363e0f6704bebc022c92
-
SSDEEP
12288:+Qx35MvtftblfTrd0A8e2QUvGb3NgRxjTU2Q3uQlC2ZwfXM/yaaHlhPb/AxlfMlM:h21VblfCXvGLUTU2SBTwU/0HlxzUlfKM
Static task
static1
Behavioral task
behavioral1
Sample
09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d.exe
Resource
win7-20230220-en
Malware Config
Extracted
redline
dast
83.97.73.129:19068
-
auth_value
17d71bf1a3f93284f5848e00b0dd8222
Extracted
amadey
3.83
77.91.68.30/music/rock/index.php
Extracted
redline
crazy
83.97.73.129:19068
-
auth_value
66bc4d9682ea090eef64a299ece12fdd
Targets
-
-
Target
09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d.exe
-
Size
757KB
-
MD5
f19fa90ff55e27340dd39410e6dffd39
-
SHA1
6ff2b0805f5766dfeb73ffb74bb5bee154a33222
-
SHA256
09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d
-
SHA512
431076378298da465fac2cf50680cd66d868949724e6d98ec8f0e5681aee799edadb3428f19957602b7ad6c8e47a40e9850df403cc3304d540bcf2da90188b15
-
SSDEEP
12288:aMrly905KP0huYxgMOj1rZed5MA76VesQjREgZ/lzvBR7A6UsbjpisKe4z+0e:fyLP0NqMeZG5v76VesQ9EM/lzvT7NUsP
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-