redline | d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14 | Triage

Submit
Reports

Overview

overview

Static

static

d5a6f4ae6a...14.exe

windows7_x64

d5a6f4ae6a...14.exe

windows10_x64

Sharing

General

Target

d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14.exe
Size

8.2MB
Sample

210505-s1r3kyf766
MD5

5b6110f5767aba1d8f06be7f854250e9
SHA1

31e9a270b849ce51ecdd274ae72c4be2490322fa
SHA256

d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14
SHA512

c8fed779968482653c4b40c66692f796489b04f9d692ecb209a03c6470c27163adfa3cbf9cbfe3c963c6841a74499ee443882ed0dea9c2901f33a58c54c3683c

Score

10^/10

redline eumix4 evasion infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14.exe

Resource

win7v20210410

redline eumix4 evasion infostealer persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14.exe

Resource

win10v20210408

redline eumix4 evasion infostealer spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

eumix4

C2

crownnest.cyou:80

Targets

- Target
  
  d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14.exe
- Size
  
  8.2MB
- MD5
  
  5b6110f5767aba1d8f06be7f854250e9
- SHA1
  
  31e9a270b849ce51ecdd274ae72c4be2490322fa
- SHA256
  
  d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14
- SHA512
  
  c8fed779968482653c4b40c66692f796489b04f9d692ecb209a03c6470c27163adfa3cbf9cbfe3c963c6841a74499ee443882ed0dea9c2901f33a58c54c3683c
Score

10^/10

redline eumix4 evasion infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Account Manipulation

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlineeumix4evasioninfostealerpersistencespywarestealer

behavioral2

redlineeumix4evasioninfostealerspywarestealer

© 2018-2024

Terms | Privacy