redline | 95a32c06589042c29fc2879bc7e55866664628a0bf1a5180ec92f9b4c52c01cb | Triage

Submit
Reports

Overview

overview

Static

static

C4Loader.exe

windows7_x64

C4Loader.exe

windows10-2004_x64

1

Sharing

General

Target

C4Loader.exe
Size

2.2MB
Sample

220607-xvglesdgel
MD5

5e0b3c359fcc36dfa50f09642e628fd3
SHA1

88ca1402ca389c6fe41e13da53b27722f9dea253
SHA256

95a32c06589042c29fc2879bc7e55866664628a0bf1a5180ec92f9b4c52c01cb
SHA512

eaca6ef4448550d83b63ea4ca2f7c5817a23515e5f74d61eb0e79eafe9c0450d16854054dac2d777a16b19065d4e7d6aa47661715ca05c8646d7c8f63c795545

Score

10^/10

redline new1 discovery evasion exploit infostealer spyware suricata

Static task

static1

Behavioral task

behavioral1

Sample

C4Loader.exe

Resource

win7-20220414-en

redline new1 discovery evasion exploit infostealer spyware suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

C4Loader.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

new1

C2

194.87.186.140:46703

Attributes

auth_value
1f11240703f5c67f15da5cf49122762c

Targets

- Target
  
  C4Loader.exe
- Size
  
  2.2MB
- MD5
  
  5e0b3c359fcc36dfa50f09642e628fd3
- SHA1
  
  88ca1402ca389c6fe41e13da53b27722f9dea253
- SHA256
  
  95a32c06589042c29fc2879bc7e55866664628a0bf1a5180ec92f9b4c52c01cb
- SHA512
  
  eaca6ef4448550d83b63ea4ca2f7c5817a23515e5f74d61eb0e79eafe9c0450d16854054dac2d777a16b19065d4e7d6aa47661715ca05c8646d7c8f63c795545
Score

10^/10

redline new1 discovery evasion exploit infostealer spyware suricata
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

File Permissions Modification

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

redlinenew1discoveryevasionexploitinfostealerspywaresuricata

behavioral2

© 2018-2024

Terms | Privacy