General
-
Target
b25499e349a9fbb46c08b7dca1c1f882.exe
-
Size
5.8MB
-
Sample
211222-md8y8sgagl
-
MD5
b25499e349a9fbb46c08b7dca1c1f882
-
SHA1
433abf4d5cffd2c1594ad4b1d638249a7c35ebc0
-
SHA256
cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d
-
SHA512
05a9d952aadc9082edc8dc7f250d12e6160a3b56619e10d7ce583fb62b19eb9f3dd7f451d80811d01bc2089795a39c5076525b4d25e170787b041772911eecfc
Malware Config
Extracted
http://oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh1001.biz/hfile.bin
Extracted
redline
Main
80.89.228.129:80
Targets
-
-
Target
b25499e349a9fbb46c08b7dca1c1f882.exe
-
Size
5.8MB
-
MD5
b25499e349a9fbb46c08b7dca1c1f882
-
SHA1
433abf4d5cffd2c1594ad4b1d638249a7c35ebc0
-
SHA256
cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d
-
SHA512
05a9d952aadc9082edc8dc7f250d12e6160a3b56619e10d7ce583fb62b19eb9f3dd7f451d80811d01bc2089795a39c5076525b4d25e170787b041772911eecfc
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Hidden Files and Directories
1