General
-
Target
Setup.bin.zip
-
Size
238KB
-
Sample
230717-g18zvsae67
-
MD5
46ab886a7756ef611d0798256d46425b
-
SHA1
1f60a35b0ded2ca01e9578a8f59dc69e6d13c826
-
SHA256
fa186ec42d8bd6705022f87ad0e474b89aa78c887da4d86603079c2ce2b28810
-
SHA512
e8be54e21cb1e174bf169e1929092be009845946bd52e0b1db5024353ddd337b4bc2223eb8c604388b8e141021ed25417c29ef1dead4b7202f082d06b812030f
-
SSDEEP
6144:yrm7tO+NdvAEu5TBtRdIS8VJpxupKzb2V1qKW2yY4rWx8ut/3Q:yrmBOqdvAEu5TBSS8VJTupKgWi4raPo
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
redline
@EclipsoNN
94.142.138.4:80
-
auth_value
a7c64217d1354dc4fff2d3e224a31954
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Targets
-
-
Target
Setup.bin
-
Size
685KB
-
MD5
65df8723cddac2f68077a1e4ba85d517
-
SHA1
939ae5f1fd476617933cb59dce91cc8032d1ffc4
-
SHA256
e5ae0ceb6284e429c939dd9f38176b705f4047432d36d21c8120f7e1ea01f32b
-
SHA512
7f917b2cd70aff161876fab16eca979d8ce27ac33501c11e2ad872e04f1507bad13e3a27a676cac09bc1c73613a44bf9b1a6f7462a60256764d1179b4b35933c
-
SSDEEP
12288:D/1st25/ZyKB9UyTLrY1XbYcF9u2qgOlEYH+FYCiERKZ72uaAdi7++TQDZ:7O25/7rYbFZOlEYeFYCiERKZ72uaAdiy
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-