General
-
Target
25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa
-
Size
491KB
-
Sample
241109-y66kcstrem
-
MD5
96b5fee41c4754ee313a7ea6e5aadf7d
-
SHA1
4762efce0265a98676c21c1d3498c3c0890d63c1
-
SHA256
25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa
-
SHA512
118fca6138c35dc3afe9f04d08a4eb6142e3468050e250fbf924c4f0980231cdcc44742c4de963b40223fcd303dd9b36517527a68b09fc4e3d029289d7c438da
-
SSDEEP
12288:6Mrgy90vEZmEyW/eR/MNHafVyr4Na5iL/+r:+y0my4O06fsr4NU6+r
Static task
static1
Malware Config
Extracted
redline
lipo
217.196.96.101:4132
-
auth_value
3183df2d03b17daa3c5ecc95e60086a5
Extracted
amadey
3.70
5d3738
http://212.113.119.255
-
install_dir
5cb6818d6c
-
install_file
oneetx.exe
-
strings_key
79059fc55781c343f4be3c9266db011b
-
url_paths
/joomla/index.php
Targets
-
-
Target
25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa
-
Size
491KB
-
MD5
96b5fee41c4754ee313a7ea6e5aadf7d
-
SHA1
4762efce0265a98676c21c1d3498c3c0890d63c1
-
SHA256
25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa
-
SHA512
118fca6138c35dc3afe9f04d08a4eb6142e3468050e250fbf924c4f0980231cdcc44742c4de963b40223fcd303dd9b36517527a68b09fc4e3d029289d7c438da
-
SSDEEP
12288:6Mrgy90vEZmEyW/eR/MNHafVyr4Na5iL/+r:+y0my4O06fsr4NU6+r
-
Amadey family
-
Detects Healer an antivirus disabler dropper
-
Healer family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1