redline

General

Target

1a4cfd9e39b9028cf14d4b64b39e427b30ee0e93793ec3d57e2986a77444db94
Size

4.0MB
Sample

220222-rv5elabadp
MD5

8caef35c1004b91b7f70670f8544e2bb
SHA1

3f94ee95beda87824632d6a65d65355b69a8ac19
SHA256

1a4cfd9e39b9028cf14d4b64b39e427b30ee0e93793ec3d57e2986a77444db94
SHA512

e5db1b3bf4b727da306eacd7dc79feea552244ffa48a6102dbb56066188b86f947c6fe7b0117908c0ed5c5d8a80bbe54eb4fb6eccac6d1be50f0b0ce0f28c557

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

DomAni

C2

varinnitof.xyz:80

Extracted

Family

redline

Botnet

333333

C2

2.56.57.212:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Targets

- Target
  
  1a4cfd9e39b9028cf14d4b64b39e427b30ee0e93793ec3d57e2986a77444db94
- Size
  
  4.0MB
- MD5
  
  8caef35c1004b91b7f70670f8544e2bb
- SHA1
  
  3f94ee95beda87824632d6a65d65355b69a8ac19
- SHA256
  
  1a4cfd9e39b9028cf14d4b64b39e427b30ee0e93793ec3d57e2986a77444db94
- SHA512
  
  e5db1b3bf4b727da306eacd7dc79feea552244ffa48a6102dbb56066188b86f947c6fe7b0117908c0ed5c5d8a80bbe54eb4fb6eccac6d1be50f0b0ce0f28c557
Score

10^/10

redline domani aspackv2 evasion infostealer persistence spyware stealer suricata trojan tofsee 333333 upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2