redline | 92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9 | Triage

Submit
Reports

Overview

overview

Static

static

DownFlSetup999.exe

windows7_x64

DownFlSetup999.exe

windows10_x64

Sharing

General

Target

DownFlSetup999.exe
Size

68KB
Sample

211024-dt7lnsdhbr
MD5

ca9086de3f408d228e80d70078b92daa
SHA1

efb3169c11d03008d928e8b0b337a0f586abeaca
SHA256

92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
SHA512

95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8

Score

10^/10

redline discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

DownFlSetup999.exe

Resource

win7-en-20211014

redline infostealer persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DownFlSetup999.exe

Resource

win10-en-20210920

redline discovery infostealer persistence spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  DownFlSetup999.exe
- Size
  
  68KB
- MD5
  
  ca9086de3f408d228e80d70078b92daa
- SHA1
  
  efb3169c11d03008d928e8b0b337a0f586abeaca
- SHA256
  
  92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
- SHA512
  
  95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8
Score

10^/10

redline infostealer persistence discovery spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlineinfostealerpersistence

behavioral2

redlinediscoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy