redline | 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5 | Triage

Submit
Reports

Overview

overview

Static

static

5694c5dc54...1c.exe

windows7_x64

5694c5dc54...1c.exe

windows10_x64

Sharing

General

Target

5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe
Size

875KB
Sample

211106-yr5dracgen
MD5

6441aef8da572f0501246046025c003b
SHA1

522662a7e934e94afc6c42a73ddfaede2df82d3c
SHA256

5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5
SHA512

12ca37966fcaebabf1f5768f4d344c8838ec18e6adbbe5dc9c4b8dafc7e0d2323119706f61586cc8ec5bfbceb561968230efdd1bebe1880f7329e1243d8ae54c

Score

10^/10

redline next2 discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe

Resource

win7-en-20211014

redline next2 discovery infostealer persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe

Resource

win10-en-20211104

redline next2 discovery infostealer persistence spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

next2

C2

bigboobstop.store:34585

boyshipgir.site:34585

Targets

- Target
  
  5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe
- Size
  
  875KB
- MD5
  
  6441aef8da572f0501246046025c003b
- SHA1
  
  522662a7e934e94afc6c42a73ddfaede2df82d3c
- SHA256
  
  5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5
- SHA512
  
  12ca37966fcaebabf1f5768f4d344c8838ec18e6adbbe5dc9c4b8dafc7e0d2323119706f61586cc8ec5bfbceb561968230efdd1bebe1880f7329e1243d8ae54c
Score

10^/10

redline next2 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinenext2discoveryinfostealerpersistencespywarestealer

behavioral2

redlinenext2discoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy