General
-
Target
RedLineStealer.zip
-
Size
2.2MB
-
Sample
230726-j7wn8aah7t
-
MD5
23e576cf3374a423b059a59bdaee70ec
-
SHA1
00e059bbb45fb3db60b9e053120c14cd26cc6e76
-
SHA256
f21acb874360a1bf19ca35523d521c765a85cee57ef3992032bcb0d5743888e7
-
SHA512
a2dc1e596ab199b44d907ddf61affdf7631983edf7103e85a3a91aa793515608277c3350024e7e3c078f1f5abdcf58d7337d92dc1948c69103d974e01a2f6a6c
-
SSDEEP
49152:FgRl7NbO4FM6P+jRn48HKnDq1Uztw6Y/bRmAcL:SX7NbnFM62jp48HEe2zttsbR6
Behavioral task
behavioral1
Sample
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
redline
150723_rc_11
rcam15.tuktuk.ug:11290
-
auth_value
0b3645317afbcac212f68853bb45b46d
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Targets
-
-
Target
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
-
Size
2.3MB
-
MD5
9b06361b484531e8d71b64fbb32534d9
-
SHA1
6c47e8bfaf1b82c57c861312f1fe130cc5e21c96
-
SHA256
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
SHA512
dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb
-
SSDEEP
49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-