redline | ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef | Triage

Submit
Reports

Overview

overview

Static

static

8

order_list...87.xls

windows7_x64

order_list...87.xls

windows10_x64

Sharing

General

Target

order_list_fe99087.xls
Size

221KB
Sample

210210-b8bjnr89da
MD5

aeb9b7f6fb7bac0deac61db8295e1d3c
SHA1

823814c91d8c75933f0f49cda5b07ac14e484390
SHA256

ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef
SHA512

cc3c349fdb18bbac96f36cff152c8c4873d10179cc6dab06863ac421ffc9b8d75f67c991522eaea736bc58aef3a7c172811e12f3ae08e4ebe6e32417456e936c

Score

10^/10

redline discovery infostealer macro ransomware spyware xlm

Static task

static1

Behavioral task

behavioral1

Sample

order_list_fe99087.xls

Resource

win7v20201028

redline discovery infostealer ransomware spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

order_list_fe99087.xls

Resource

win10v20201028

redline discovery infostealer ransomware spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://urgfuid.gq/z/z.exe

Targets

- Target
  
  order_list_fe99087.xls
- Size
  
  221KB
- MD5
  
  aeb9b7f6fb7bac0deac61db8295e1d3c
- SHA1
  
  823814c91d8c75933f0f49cda5b07ac14e484390
- SHA256
  
  ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef
- SHA512
  
  cc3c349fdb18bbac96f36cff152c8c4873d10179cc6dab06863ac421ffc9b8d75f67c991522eaea736bc58aef3a7c172811e12f3ae08e4ebe6e32417456e936c
Score

10^/10

redline discovery infostealer ransomware spyware
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinediscoveryinfostealerransomwarespyware

behavioral2

redlinediscoveryinfostealerransomwarespyware

© 2018-2024

Terms | Privacy