redline | 6228a057bf70d95e0f6cd3a5639d02e4155c84f7da9fd29bf879e3473d37d86d | Triage

Submit
Reports

Overview

overview

Static

static

ba66c7a46a...96.exe

windows7-x64

ba66c7a46a...96.exe

windows10-2004-x64

Sharing

General

Target

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396
Size

817KB
Sample

220811-2aw8lafed7
MD5

b62b613ae3fe7036fa43bc29ae47e543
SHA1

82d820788a5fd1a203b8c45f880ab1368257c818
SHA256

6228a057bf70d95e0f6cd3a5639d02e4155c84f7da9fd29bf879e3473d37d86d
SHA512

3f291f9e42efec5976c689c6c94cd321bd4b621a6f8694f56fa2a4f0bdd663397b0f19552cb9f5376d8a46f130c378109e5c078d10fd80cc53f3de0987992a3b

Score

10^/10

redline 4 5076357887 @tag12312341 nam3 discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe

Resource

win7-20220715-en

redline 4 5076357887 @tag12312341 nam3 discovery infostealer spyware stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe

Resource

win10v2004-20220722-en

redline 4 5076357887 @tag12312341 nam3 discovery infostealer persistence spyware stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

4

C2

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

C2

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

C2

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Targets

- Target
  
  ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396
- Size
  
  902KB
- MD5
  
  e6ae2071837c90e79a7f4c6e8e778f0f
- SHA1
  
  b340afd00d6feb4da15b9b10446417e51d3f7082
- SHA256
  
  ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396
- SHA512
  
  6e1662cc172d0001fb2de054eaff5dc8c9ba041cbec00a42d8311c92958e1b4690454262106ac26d0eed85863e2142dc5d4161a98c7cbabbcb6b083e7d02b59c
Score

10^/10

redline 4 5076357887 @tag12312341 nam3 discovery infostealer spyware stealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redline45076357887@tag12312341nam3discoveryinfostealerspywarestealer

behavioral2

redline45076357887@tag12312341nam3discoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy