redline | 565b1484478b1644bd1e8954e079f653b8f71c9f16997d4b7fc53f83da609e35 | Triage

Submit
Reports

Overview

overview

Static

static

GloryHack.exe

windows7_x64

GloryHack.exe

windows10_x64

Sharing

General

Target

GloryHack.exe
Size

857KB
Sample

211205-t1y6wafea3
MD5

f5ca907b9390037f5ee5106abdc71927
SHA1

91471f2d090e8858d2945faeffa17af57b8b2eaa
SHA256

565b1484478b1644bd1e8954e079f653b8f71c9f16997d4b7fc53f83da609e35
SHA512

27d3ad7f40c8ee6983e09e23b858feedcf7cc6170e549f3394f05789ba6c00e547e43d68d3994c47410fde995417771086a7fcf48ee581d41e50970e62858a9f

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

GloryHack.exe

Resource

win7-en-20211104

redline discovery evasion infostealer persistence spyware stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

GloryHack.exe

Resource

win10-en-20211014

redline discovery infostealer spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

C2

185.215.113.57:50723

Targets

- Target
  
  GloryHack.exe
- Size
  
  857KB
- MD5
  
  f5ca907b9390037f5ee5106abdc71927
- SHA1
  
  91471f2d090e8858d2945faeffa17af57b8b2eaa
- SHA256
  
  565b1484478b1644bd1e8954e079f653b8f71c9f16997d4b7fc53f83da609e35
- SHA512
  
  27d3ad7f40c8ee6983e09e23b858feedcf7cc6170e549f3394f05789ba6c00e547e43d68d3994c47410fde995417771086a7fcf48ee581d41e50970e62858a9f
Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinediscoveryevasioninfostealerpersistencespywarestealertrojanupx

behavioral2

redlinediscoveryinfostealerspywarestealer

© 2018-2024

Terms | Privacy