redline | 22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f | Triage

Submit
Reports

Overview

overview

Static

static

22c4e23b27...0f.msi

windows7_x64

22c4e23b27...0f.msi

windows10_x64

Sharing

General

Target

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f
Size

7.0MB
Sample

220127-web6bshcc8
MD5

8f8f140fc190448aa8b9b1e3ae118039
SHA1

37c537bb09d0b2738bf78a83d6ee6d7e78febe17
SHA256

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f
SHA512

c058ddf5a3259cab006d711a4caa6dc244ef1e95d9a2dcdac4c8a07d95c92b77245c3f74b76f497907f9f9fc92d932522bc9ba6cd4682e6e068adaabf0d43680

Score

10^/10

redline discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f.msi

Resource

win7-en-20211208

redline discovery infostealer persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f.msi

Resource

win10-en-20211208

redline infostealer persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f
- Size
  
  7.0MB
- MD5
  
  8f8f140fc190448aa8b9b1e3ae118039
- SHA1
  
  37c537bb09d0b2738bf78a83d6ee6d7e78febe17
- SHA256
  
  22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f
- SHA512
  
  c058ddf5a3259cab006d711a4caa6dc244ef1e95d9a2dcdac4c8a07d95c92b77245c3f74b76f497907f9f9fc92d932522bc9ba6cd4682e6e068adaabf0d43680
Score

10^/10

redline discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Core1 .NET packer
  Detects packer/loader used by .NET malware.
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinediscoveryinfostealerpersistencespywarestealer

behavioral2

redlineinfostealerpersistence

© 2018-2024

Terms | Privacy