redline

General

Target

vape-all-versions_439051442.zip
Size

9.5MB
Sample

210719-v5c7bfntkn
MD5

6b19d473e78139fd1304a5017d063b22
SHA1

81febf16c5451df19900826acf841a2aaef81cc2
SHA256

96d4253f2a5f87da558797243cf65ebbc3f53fd0a5773e689f90dcf7f5db1abb
SHA512

afe7744478050198687194b210fd20ee26bd1240b080ba62c36d7cd3e8768863cb66c6f98e25942d5e90d39033d6b9f2eea686b6b57d88c25345b960479bad62

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

180721

C2

cookiebrokrash.info:80

Extracted

Family

redline

Botnet

bolshe50

C2

qusenero.xyz:80

Targets

- Target
  
  _vcofsoig.nfn.exe
- Size
  
  2.1MB
- MD5
  
  2c6fa0b31d84f67377ddd6ea2799b752
- SHA1
  
  cf0b9d9c65829009eba7c1a5845be69be5e2e837
- SHA256
  
  1c5c3a3fa4fdd0ea52166d9a924fac13883e5c5797b9acd89dace63e1a468f6f
- SHA512
  
  9beaa08110453de703105a17cf6237f099b069bfd913381af334b8f61f8f69c16648f84afe3852a361a934563a27178389a1077ede1a267312394c483d941ce6
Score

4^/10
behavioral1 behavioral2
- Target
  
  vape-all-versions_439051442.exe
- Size
  
  8.9MB
- MD5
  
  8de7400fa27c961d147b562df83afba5
- SHA1
  
  5c7a89c25a58ea3adfb954371d740f6f59a6bb97
- SHA256
  
  c1103a810f1b3a5abd360c04fe1effce6b90d88e30f283d92417ac1fcf72ca84
- SHA512
  
  27738d8c2eac4d39713ea0f455718cd36f538763e888744def2bdf70da8996d86f1bab66ff708d3c1ffa210cc9c9a2cc0d7bc46c7ce4f0b747b33753621a5fa3
Score

10^/10

redline 180721 bolshe50 discovery infostealer spyware stealer upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- redlinestealer
  RedlineStealer.
  stealer
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- autoit_exe
  AutoIT scripts compiled to PE executables.
behavioral3 behavioral4