redline | f7110b1def06d7380d583ef5902076e986cc1688a1c1f21a5fe8f0576b3a9e4c | Triage

Submit
Reports

Overview

overview

Static

static

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺ�...ฺฺ

windows10_x64

.Bฺฺ�...ฺฺ

windows10_x64

8

10min

windows10_x64

Sharing

General

Target

client.bin.zip
Size

4.5MB
Sample

201227-x91lm8qffa
MD5

bc34bbf9bbc22725248229de6a153cba
SHA1

764226da9f3fb07c0c78124b7407765a5497d038
SHA256

f7110b1def06d7380d583ef5902076e986cc1688a1c1f21a5fe8f0576b3a9e4c
SHA512

513ce9e9773f55b4c1b34dc4978d3f38dffcef86ac0e078fcb65ae1057a9d225a0a07d66d6e2b041814836a853d9a417bf33ce4b24aecacc280af8333398b47e

Score

10^/10

redline discovery infostealer persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

client.bin.exe

Resource

win10v20201028

redline discovery infostealer persistence spyware

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

client.bin.exe

Resource

win10v20201028

redline discovery infostealer persistence spyware

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

client.bin.exe

Resource

win10v20201028

persistence spyware

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral4

Sample

client.bin.exe

Resource

win10v20201028

redline discovery infostealer persistence spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  client.bin
- Size
  
  4.7MB
- MD5
  
  30cbe96960eaf1c4eee427b5014db6c9
- SHA1
  
  322f4cf4a94c5d63d9f23dad150e35e4337f5a64
- SHA256
  
  7f943d80aa07781b55d73dfae0da2f256451ad8d887b9b45971348f18adcf54d
- SHA512
  
  c76c38b85d39f16c7d7b74957cca76e18466c49f25623d1f1427bc197d2a5da01f8829cbd9bbd15563e3e81ba64758ba161607bfc72d84990d6153b25d978ec0
Score

10^/10

redline discovery infostealer persistence spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinediscoveryinfostealerpersistencespyware

behavioral2

redlinediscoveryinfostealerpersistencespyware

behavioral3

persistencespyware

behavioral4

redlinediscoveryinfostealerpersistencespyware

© 2018-2024

Terms | Privacy