redline | 26f7c7b83733f91effc4a8b1e30e87a66aba1420d9669ddfc886f9c0aa27bfad | Triage

Submit
Reports

Overview

overview

Static

static

Terror Mod...er.exe

windows7_x64

Terror Mod...er.exe

windows10_x64

Sharing

General

Target

Terror Mod Menu Launcher.exe
Size

355KB
Sample

211114-jcdj6agaf6
MD5

f3acc02f5ea2bc46d22802d65c8bb687
SHA1

b47b3f1e927165bbec555e7ef243cfb84ed0be47
SHA256

26f7c7b83733f91effc4a8b1e30e87a66aba1420d9669ddfc886f9c0aa27bfad
SHA512

0f68e547446093aa0dc57e636e0bc2104cb2e84f64c71953ad49009ba0720e3e1ea09c96328e54156bc07a45e2d8b7b66566141ef41981baec8f467a90b8ec10

Score

10^/10

redline xxluchxx1 discovery evasion infostealer spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

Terror Mod Menu Launcher.exe

Resource

win7-en-20211014

redline discovery infostealer spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Terror Mod Menu Launcher.exe

Resource

win10-en-20211104

redline xxluchxx1 discovery evasion infostealer spyware stealer themida trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

C2

23.88.109.42:55961

Extracted

Family

redline

Botnet

xxluchxx1

C2

212.86.102.63:62907

Targets

- Target
  
  Terror Mod Menu Launcher.exe
- Size
  
  355KB
- MD5
  
  f3acc02f5ea2bc46d22802d65c8bb687
- SHA1
  
  b47b3f1e927165bbec555e7ef243cfb84ed0be47
- SHA256
  
  26f7c7b83733f91effc4a8b1e30e87a66aba1420d9669ddfc886f9c0aa27bfad
- SHA512
  
  0f68e547446093aa0dc57e636e0bc2104cb2e84f64c71953ad49009ba0720e3e1ea09c96328e54156bc07a45e2d8b7b66566141ef41981baec8f467a90b8ec10
Score

10^/10

redline discovery infostealer spyware stealer xxluchxx1 evasion themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinediscoveryinfostealerspywarestealer

behavioral2

redlinexxluchxx1discoveryevasioninfostealerspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy