redline | 755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60 | Triage

Submit
Reports

Overview

overview

Static

static

sonia_4.exe

windows7_x64

sonia_4.exe

windows10_x64

Sharing

General

Target

sonia_4.exe
Size

8KB
Sample

210720-skgqye3776
MD5

6765fe4e4be8c4daf3763706a58f42d0
SHA1

cebb504bfc3097a95d40016f01123b275c97d58c
SHA256

755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
SHA512

c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Score

10^/10

redline aninew infostealer persistence stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

sonia_4.exe

Resource

win7v20210410

redline aninew infostealer persistence stealer upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

sonia_4.exe

Resource

win10v20210410

redline aninew infostealer persistence stealer upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Targets

- Target
  
  sonia_4.exe
- Size
  
  8KB
- MD5
  
  6765fe4e4be8c4daf3763706a58f42d0
- SHA1
  
  cebb504bfc3097a95d40016f01123b275c97d58c
- SHA256
  
  755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
- SHA512
  
  c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55
Score

10^/10

redline aninew infostealer persistence stealer upx
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- redlinestealer
  RedlineStealer.
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlineaninewinfostealerpersistencestealerupx

behavioral2

redlineaninewinfostealerpersistencestealerupx

© 2018-2024

Terms | Privacy