redline | a77f38a217972a2b148f5ecf75c7a07e5ab6daa61bdc6e11e031931b6ae6c110 | Triage

Submit
Reports

Overview

overview

Static

static

REPACKS PA...up.exe

windows7-x64

REPACKS PA...up.exe

windows10-2004-x64

Sharing

General

Target

REPACKS PASS (884488).zip
Size

5.8MB
Sample

220822-lsrstseahn
MD5

200cff3b9403824103cfd56bdcfb90bc
SHA1

2cb94c03237296e4a4952d44bd78c4f489dedcfe
SHA256

a77f38a217972a2b148f5ecf75c7a07e5ab6daa61bdc6e11e031931b6ae6c110
SHA512

92e7364ae8d6669a9990d541fef4abc72ba2aaaf5f36fe0032904298571858ff9ad136cfe01e1a1c449d5da6133434ccaef2df8bc8c34f03ed9c75eba1206f5d
SSDEEP

98304:5mxr+J8sL6Z+AqIbPRIRXSx9+FngmUCzUieCV/HAUWkGtwq3449fcj:5o+J8sxILN9+CNi1VHGp4yf2

Score

10^/10

redline discovery evasion exploit infostealer persistence

Static task

static1

Behavioral task

behavioral1

Sample

REPACKS PASS (884488)/setup.exe

Resource

win7-20220812-en

redline infostealer persistence

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

REPACKS PASS (884488)/setup.exe

Resource

win10v2004-20220812-en

redline discovery evasion exploit infostealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

redline

C2

185.148.39.219:47029

Attributes

auth_value
030514cd8489ae5e380e5ab4739f521f

Targets

- Target
  
  REPACKS PASS (884488)/setup.exe
- Size
  
  661.6MB
- MD5
  
  20a29c4cdb0e4f561146f8a8b23a0c75
- SHA1
  
  b8a3c3b85ff7286e3eca2f8435695f4f31f02a22
- SHA256
  
  ff9617310db9af9e3c9e5bd9c87b0ffc06c8661a53bca645657b551fdc92f0f5
- SHA512
  
  5b77be04a40dc140abbc287ce95c3597bf14ccf91923668d72b1c790e34d1c3e3edf49acfa9ca85d565bb49f85f1ad4e7397199195aff952cd858388024868ba
- SSDEEP
  
  98304:dv5bQ78+LmfAogOrH3YHtuxr+ZXCWQODmUugVrRugus0JIgRW/qq9y6j:ddQ78+BODXr+snUTVh0PW/
Score

10^/10

redline infostealer persistence discovery evasion exploit
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

File Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Tasks

static1

behavioral1

redlineinfostealerpersistence

behavioral2

redlinediscoveryevasionexploitinfostealer

© 2018-2024

Terms | Privacy