redline | 69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07 | Triage

Submit
Reports

Overview

overview

Static

static

aad0024d7c...14.exe

windows7_x64

aad0024d7c...14.exe

windows10-2004_x64

Sharing

General

Target

aad0024d7c30bf6fee7c90d90371ca14.exe
Size

37.0MB
Sample

220609-yyt7csbgbp
MD5

aad0024d7c30bf6fee7c90d90371ca14
SHA1

a503d2586a3eab062b1696fc1602bae9faaeb221
SHA256

69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
SHA512

b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a

Score

10^/10

redline main discovery evasion infostealer spyware trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

aad0024d7c30bf6fee7c90d90371ca14.exe

Resource

win7-20220414-en

redline main discovery evasion infostealer spyware trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

aad0024d7c30bf6fee7c90d90371ca14.exe

Resource

win10v2004-20220414-en

redline main discovery evasion infostealer spyware trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://thddghdd3.com/hfile.bin

Extracted

Family

redline

Botnet

Main

C2

185.250.148.104:23290

Attributes

auth_value
128a196090d81c16477a2ef82c42859f

Targets

- Target
  
  aad0024d7c30bf6fee7c90d90371ca14.exe
- Size
  
  37.0MB
- MD5
  
  aad0024d7c30bf6fee7c90d90371ca14
- SHA1
  
  a503d2586a3eab062b1696fc1602bae9faaeb221
- SHA256
  
  69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
- SHA512
  
  b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a
Score

10^/10

redline main discovery evasion infostealer spyware trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies Windows Defender notification settings
  evasion trojan
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

BITS Jobs

Hidden Files and Directories

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

File Permissions Modification

BITS Jobs

Hidden Files and Directories

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinemaindiscoveryevasioninfostealerspywaretrojanupx

behavioral2

redlinemaindiscoveryevasioninfostealerspywaretrojanupx

© 2018-2024

Terms | Privacy