redline | cb30058013faed163ca721e3818ae8c1429adeb96b74e53db2640cf27432da83 | Triage

Submit
Reports

Overview

overview

Static

static

6601211ba6...74.rtf

windows7_x64

6601211ba6...74.rtf

windows10_x64

1

Sharing

General

Target

6601211ba6533afdf6a2414a90b1f374.rtf
Size

2.4MB
Sample

201222-jcrcsg6e82
MD5

6601211ba6533afdf6a2414a90b1f374
SHA1

9d14e0e030f1af92a168662ef2556c99371fd256
SHA256

cb30058013faed163ca721e3818ae8c1429adeb96b74e53db2640cf27432da83
SHA512

ea7e9da9613287053028cd8e8c5bfd86e34631bdfece1306131c2f563dbfb743da866b6e15e3c0704aa5aa44d49752b136118de2bd330ca2f9a6be6c29d88686

Score

10^/10

redline discovery infostealer spyware

Static task

static1

Behavioral task

behavioral1

Sample

6601211ba6533afdf6a2414a90b1f374.rtf

Resource

win7v20201028

redline discovery infostealer spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

6601211ba6533afdf6a2414a90b1f374.rtf

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  6601211ba6533afdf6a2414a90b1f374.rtf
- Size
  
  2.4MB
- MD5
  
  6601211ba6533afdf6a2414a90b1f374
- SHA1
  
  9d14e0e030f1af92a168662ef2556c99371fd256
- SHA256
  
  cb30058013faed163ca721e3818ae8c1429adeb96b74e53db2640cf27432da83
- SHA512
  
  ea7e9da9613287053028cd8e8c5bfd86e34631bdfece1306131c2f563dbfb743da866b6e15e3c0704aa5aa44d49752b136118de2bd330ca2f9a6be6c29d88686
Score

10^/10

redline discovery infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlinediscoveryinfostealerspyware

behavioral2

© 2018-2024

Terms | Privacy