redline | 473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7 | Triage

Submit
Reports

Overview

overview

Static

static

7

473b161ab7...b7.exe

windows7_x64

473b161ab7...b7.exe

windows10-2004_x64

Sharing

General

Target

473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
Size

5.4MB
Sample

220714-h6v6macbam
MD5

e3d6dc87f0151a02413405cf24679168
SHA1

536c88ef259f430f9982159344878c714408aab0
SHA256

473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
SHA512

82d3dadcc267e0f5f9f31ade49084cc7b56ffc80861d7b124cb6e2e4ec64eceff7d6b02dd6117a342e3bff5045e66a38cae4a940ce6f3c7c6ee4cd90bb81f855

Score

10^/10

redline @whizzkid1 evasion infostealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7.exe

Resource

win7-20220414-en

redline @whizzkid1 evasion infostealer themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7.exe

Resource

win10v2004-20220414-en

redline @whizzkid1 evasion infostealer themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

@whizzkid1

C2

185.215.113.83:60722

Attributes

auth_value
ff9f6167737e6e2ab682ab9de72ded7d

Targets

- Target
  
  473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
- Size
  
  5.4MB
- MD5
  
  e3d6dc87f0151a02413405cf24679168
- SHA1
  
  536c88ef259f430f9982159344878c714408aab0
- SHA256
  
  473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
- SHA512
  
  82d3dadcc267e0f5f9f31ade49084cc7b56ffc80861d7b124cb6e2e4ec64eceff7d6b02dd6117a342e3bff5045e66a38cae4a940ce6f3c7c6ee4cd90bb81f855
Score

10^/10

redline @whizzkid1 evasion infostealer themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redline@whizzkid1evasioninfostealerthemidatrojan

behavioral2

redline@whizzkid1evasioninfostealerthemidatrojan

© 2018-2024

Terms | Privacy