redline | c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10_x64

Sharing

General

Target

c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982
Size

309KB
Sample

210929-m9jdfseggn
MD5

8baa6c1cadfa0a5b7a956e6c55d3d9d0
SHA1

c219a61f1dad6eddc14f3fdb009eae8d76b58c85
SHA256

c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982
SHA512

56f2c867d8534beb520b92ee24debff7db17440e2ce6ac90aecf13607121c1d7ecfd6f97953a3f604d0794e491bda42988a4c76e01f8128756eacca6a3ac8f8c

Score

10^/10

redline aboba discovery evasion infostealer spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982.exe

Resource

win10v20210408

redline aboba discovery evasion infostealer spyware stealer themida trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

aboba

C2

65.108.1.219:28593

Targets

- Target
  
  c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982
- Size
  
  309KB
- MD5
  
  8baa6c1cadfa0a5b7a956e6c55d3d9d0
- SHA1
  
  c219a61f1dad6eddc14f3fdb009eae8d76b58c85
- SHA256
  
  c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982
- SHA512
  
  56f2c867d8534beb520b92ee24debff7db17440e2ce6ac90aecf13607121c1d7ecfd6f97953a3f604d0794e491bda42988a4c76e01f8128756eacca6a3ac8f8c
Score

10^/10

redline aboba discovery evasion infostealer spyware stealer themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlineabobadiscoveryevasioninfostealerspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy