redline

General

Target

Best Loader.rar
Size

12.2MB
Sample

220808-3zewaacab9
MD5

40ee1f975b03dcbb16d79228d0d30c99
SHA1

0fc0e02241a1f249dc836b6af52ebcb9aea5aeb8
SHA256

20604c0a935b40dae9f6f791deddf9f6c37524d6bbfb90b1ee7e6a6b339c61a9
SHA512

3b794c4b6beb85177b775c6d9e9db8b2d104e23abacb79bb59af71cb81bb35c96ed50402749398ab7268f98b09c7a1bc1096eb78e3ec2cb564fd120fc888c249

Score

10^/10

Malware Config

Extracted

Family

redline

C2

185.200.191.18:80

Attributes

auth_value
c7fe4e520a2358e148de28eb0d3f7a5e

Targets

- Target
  
  Loader.exe
- Size
  
  2.3MB
- MD5
  
  2c3fad8035fdf8f16d554e6054b028fa
- SHA1
  
  2c494bf2b1ff118c06a970ad235b73b0ca9cc9a0
- SHA256
  
  d246fd45d287b669b26347e38d9231801d85b6e5baf8485f093090a7289aafbe
- SHA512
  
  54fde453ca96d3a6879b47cccb7933880481fd2e4a527908eb6e57acfc640f50a486cb594c15df0422e3e6268e1e8bd2c4186e73ee33d606d83529e9dd105e7d
Score

6^/10

spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Loader2.exe
- Size
  
  4.6MB
- MD5
  
  8b748c19d519e352be4672fbc6b3561d
- SHA1
  
  ec7068896649caac57a04bf0fc101ddb4749861c
- SHA256
  
  b95da2213bec289569d3d68a8e461b74b78c86dfcc1f5a794dceec5de1b6a811
- SHA512
  
  f59964ccc2f3552e006a9ff1592aec7747d5355c053d9dd24e3fb5e907990e2339c6d37ea96243af88ceed8bd63318444143231f7d37b7966092be23e903833b
Score

10^/10

redline ytstealer infostealer spyware stealer upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- YTStealer
  YTStealer is a malware designed to steal YouTube authentication cookies.
  stealer ytstealer
- YTStealer payload
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

RedLine payload

YTStealer

YTStealer payload

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4