redline | fc9c54b72323f2492fb6e22ce77628b7af0b349b6cb6030d55d1c40b35199e91 | Triage

Submit
Reports

Overview

overview

Static

static

9504bbd270...3d.exe

windows7_x64

9504bbd270...3d.exe

windows10_x64

Sharing

General

Target

9504bbd270464fd0a401aac457a5bd3d.exe
Size

654KB
Sample

210212-tcektrrab6
MD5

9504bbd270464fd0a401aac457a5bd3d
SHA1

2382d8c492db27b62539b8d15a377845473c1b7b
SHA256

fc9c54b72323f2492fb6e22ce77628b7af0b349b6cb6030d55d1c40b35199e91
SHA512

935457e8515f740545bccb3857b5a6e8baa8461dcc29a85e2db91a4d4b31cbdefd458fbb1eea22fd4c9ce565fbce522759b2a17d4ac5e694f935143f68524271

Score

10^/10

redline discovery infostealer spyware

Static task

static1

Behavioral task

behavioral1

Sample

9504bbd270464fd0a401aac457a5bd3d.exe

Resource

win7v20201028

redline discovery infostealer spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9504bbd270464fd0a401aac457a5bd3d.exe

Resource

win10v20201028

redline discovery infostealer spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  9504bbd270464fd0a401aac457a5bd3d.exe
- Size
  
  654KB
- MD5
  
  9504bbd270464fd0a401aac457a5bd3d
- SHA1
  
  2382d8c492db27b62539b8d15a377845473c1b7b
- SHA256
  
  fc9c54b72323f2492fb6e22ce77628b7af0b349b6cb6030d55d1c40b35199e91
- SHA512
  
  935457e8515f740545bccb3857b5a6e8baa8461dcc29a85e2db91a4d4b31cbdefd458fbb1eea22fd4c9ce565fbce522759b2a17d4ac5e694f935143f68524271
Score

10^/10

redline discovery infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlinediscoveryinfostealerspyware

behavioral2

redlinediscoveryinfostealerspyware

© 2018-2024

Terms | Privacy