redline

General

Target

SS™ Install.exe
Size

20.0MB
Sample

210126-z234vpctv2
MD5

8a98a1219b88d973ed494f8f3037fed4
SHA1

822510a92978231f108d3666003d44ea76e11edb
SHA256

45de963b46628c445931c07fdddd889c33e6be1e2847340d7971b49b40dea39e
SHA512

314a4f04e42a87eb396fb4642d4025ecf71c8ee0282355ad70a237be1e6cebf2066fb5a25a0149ddee08e24e0d788608c309fae3a2a7c4f53565442c6f571c72

Score

10^/10

Malware Config

Targets

- Target
  
  SS™ Install.exe
- Size
  
  20.0MB
- MD5
  
  8a98a1219b88d973ed494f8f3037fed4
- SHA1
  
  822510a92978231f108d3666003d44ea76e11edb
- SHA256
  
  45de963b46628c445931c07fdddd889c33e6be1e2847340d7971b49b40dea39e
- SHA512
  
  314a4f04e42a87eb396fb4642d4025ecf71c8ee0282355ad70a237be1e6cebf2066fb5a25a0149ddee08e24e0d788608c309fae3a2a7c4f53565442c6f571c72
Score

10^/10

redline discovery infostealer ransomware spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- JavaScript code in executable
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1