redline | 30771966e27a617dec4499d5917d3fc8d4d3d67798c30c8b76a71238fbcfdfde | Triage

Submit
Reports

Overview

overview

Static

static

Vape Cracked.exe

windows7_x64

Vape Cracked.exe

windows10_x64

Sharing

General

Target

Vape Cracked.exe
Size

938KB
Sample

211210-z83f6aaaa5
MD5

1b193fdc036eb7492aa6bbb46e3e7523
SHA1

7aed312bb4dba8be005725821d642a38803f9968
SHA256

30771966e27a617dec4499d5917d3fc8d4d3d67798c30c8b76a71238fbcfdfde
SHA512

5610d12159465787c9fddbd6642c47300023b52fab59f48e76eb873721b3b30a9a5da159befaab835a5c528e0c41a364496ac84408f01ee10bccd9948404a74a

Score

10^/10

redline @dollax1337 discovery evasion infostealer persistence rat spyware stealer telegram trojan

Static task

static1

Behavioral task

behavioral1

Sample

Vape Cracked.exe

Resource

win7-en-20211208

redline @dollax1337 discovery evasion infostealer persistence rat spyware stealer telegram trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Vape Cracked.exe

Resource

win10-en-20211208

redline @dollax1337 discovery evasion infostealer persistence rat spyware stealer telegram trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

@dollax1337

C2

185.215.113.82:31104

Targets

- Target
  
  Vape Cracked.exe
- Size
  
  938KB
- MD5
  
  1b193fdc036eb7492aa6bbb46e3e7523
- SHA1
  
  7aed312bb4dba8be005725821d642a38803f9968
- SHA256
  
  30771966e27a617dec4499d5917d3fc8d4d3d67798c30c8b76a71238fbcfdfde
- SHA512
  
  5610d12159465787c9fddbd6642c47300023b52fab59f48e76eb873721b3b30a9a5da159befaab835a5c528e0c41a364496ac84408f01ee10bccd9948404a74a
Score

10^/10

redline @dollax1337 discovery evasion infostealer persistence rat spyware stealer telegram trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- TelegramRat
  Telegram_rat.
  telegram rat
- evasion
  evasion.
  evasion
- rl_trojan
  redline stealer.
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redline@dollax1337discoveryevasioninfostealerpersistenceratspywarestealertelegramtrojan

behavioral2

redline@dollax1337discoveryevasioninfostealerpersistenceratspywarestealertelegramtrojan

© 2018-2024

Terms | Privacy