redline | 5a6a96c9f2e763a6d8335fbe24aeec2b058da7757abe9d6fd758b842ce825e8a | Triage

Submit
Reports

Overview

overview

Static

static

Documents ...se.exe

windows7_x64

Documents ...se.exe

windows10-2004_x64

Resubmissions

07-07-2022 16:05

220707-tjsmrsccb4 10

07-07-2022 13:44

220707-q1ssbagghk 10

Sharing

General

Target

Documents your case.exe
Size

3.0MB
Sample

220707-q1ssbagghk
MD5

6ea9dfe1e593f42f90fcf3126c08e25b
SHA1

021b5048622e12bdf027cf92e2c18b92650fa87c
SHA256

5a6a96c9f2e763a6d8335fbe24aeec2b058da7757abe9d6fd758b842ce825e8a
SHA512

944ac24af7a54e34453dac0acf48fe9130160dbd337a0193ac343c7af5e4a6e5c3f34220ff3b40227b2a9e8aff7928e6f483d7058b20f15754301088d8391b7d

Score

10^/10

redline 1327052997 evasion infostealer persistence spyware suricata

Static task

static1

Behavioral task

behavioral1

Sample

Documents your case.exe

Resource

win7-20220414-en

redline 1327052997 evasion infostealer spyware suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Documents your case.exe

Resource

win10v2004-20220414-en

redline 1327052997 evasion infostealer persistence spyware suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

1327052997

C2

37.235.54.26:8362

Targets

- Target
  
  Documents your case.exe
- Size
  
  3.0MB
- MD5
  
  6ea9dfe1e593f42f90fcf3126c08e25b
- SHA1
  
  021b5048622e12bdf027cf92e2c18b92650fa87c
- SHA256
  
  5a6a96c9f2e763a6d8335fbe24aeec2b058da7757abe9d6fd758b842ce825e8a
- SHA512
  
  944ac24af7a54e34453dac0acf48fe9130160dbd337a0193ac343c7af5e4a6e5c3f34220ff3b40227b2a9e8aff7928e6f483d7058b20f15754301088d8391b7d
Score

10^/10

redline 1327052997 evasion infostealer spyware suricata persistence
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redline1327052997evasioninfostealerspywaresuricata

behavioral2

redline1327052997evasioninfostealerpersistencespywaresuricata

© 2018-2024

Terms | Privacy