redline | 5b8ecae5fd44af6428f88915af963e596ad4af121076bcab7956c5125e56306b | Triage

Submit
Reports

Overview

overview

Static

static

5daff0720e...41.exe

windows7-x64

5daff0720e...41.exe

windows10-2004-x64

Sharing

General

Target

5daff0720e5dd482ea874b77624bd441.exe
Size

2.5MB
Sample

220804-kepkwacgc3
MD5

5daff0720e5dd482ea874b77624bd441
SHA1

66bf798605bb4c12f69538ebd0c99c9198f24e4c
SHA256

5b8ecae5fd44af6428f88915af963e596ad4af121076bcab7956c5125e56306b
SHA512

f4f83fe09ca2f24bc5991a9b0784bfc61ffacb10736838f641bc4e90ff3eed813d6ca7f8351fbf555afa95443409bbfbd7d09da93c80faf2cb2738f9d522009d

Score

10^/10

redline @tag3r1 evasion infostealer miner spyware themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

5daff0720e5dd482ea874b77624bd441.exe

Resource

win7-20220715-en

redline @tag3r1 evasion infostealer spyware themida trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

5daff0720e5dd482ea874b77624bd441.exe

Resource

win10v2004-20220722-en

redline @tag3r1 evasion infostealer miner spyware themida trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@tag3r1

C2

193.233.193.15:27469

Attributes

auth_value
554b82f47bce5a3808dbca3d25d639e4

Targets

- Target
  
  5daff0720e5dd482ea874b77624bd441.exe
- Size
  
  2.5MB
- MD5
  
  5daff0720e5dd482ea874b77624bd441
- SHA1
  
  66bf798605bb4c12f69538ebd0c99c9198f24e4c
- SHA256
  
  5b8ecae5fd44af6428f88915af963e596ad4af121076bcab7956c5125e56306b
- SHA512
  
  f4f83fe09ca2f24bc5991a9b0784bfc61ffacb10736838f641bc4e90ff3eed813d6ca7f8351fbf555afa95443409bbfbd7d09da93c80faf2cb2738f9d522009d
Score

10^/10

redline @tag3r1 evasion infostealer spyware themida trojan miner
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Detected Stratum cryptominer command
  Looks to be attempting to contact Stratum mining pool.
  miner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redline@tag3r1evasioninfostealerspywarethemidatrojan

behavioral2

redline@tag3r1evasioninfostealerminerspywarethemidatrojan

© 2018-2024

Terms | Privacy