redline | 049726de878da8b7385b3f2a6223902e302ec9fac95d46ab5268bfe1aed094ca | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

3.0MB
Sample

220827-y3c4msgef7
MD5

0730caf5a88ec99420f192f98bfa07d8
SHA1

5830ffc1e922e8a3cd64c5d6593ae2ef33da25a1
SHA256

049726de878da8b7385b3f2a6223902e302ec9fac95d46ab5268bfe1aed094ca
SHA512

bcb82242dd7a8759d247eb3252c60f73f781e4156d77fa2990e43bdbe58af9b7deb2921ea17348dbb60b5940a1a903d34799cc9c622596f0a70d4add2a466e94
SSDEEP

49152:qqZH7ZkIFkIpoCkZVyEwuiRnQ/GRZ9j9EpOExENF/0S4fydRtlyZK4V5UVaVylO:nvk29miaY2pOXMS4fErymKUO

Score

10^/10

redline discovery evasion exploit infostealer spyware

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220812-en

redline discovery evasion exploit infostealer spyware

windows7-x64

27 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220812-en

discovery evasion exploit

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

redline

C2

185.200.191.18:80

Attributes

auth_value
a11ae941038a2a4398d552996dbd03f1

Targets

- Target
  
  tmp
- Size
  
  3.0MB
- MD5
  
  0730caf5a88ec99420f192f98bfa07d8
- SHA1
  
  5830ffc1e922e8a3cd64c5d6593ae2ef33da25a1
- SHA256
  
  049726de878da8b7385b3f2a6223902e302ec9fac95d46ab5268bfe1aed094ca
- SHA512
  
  bcb82242dd7a8759d247eb3252c60f73f781e4156d77fa2990e43bdbe58af9b7deb2921ea17348dbb60b5940a1a903d34799cc9c622596f0a70d4add2a466e94
- SSDEEP
  
  49152:qqZH7ZkIFkIpoCkZVyEwuiRnQ/GRZ9j9EpOExENF/0S4fydRtlyZK4V5UVaVylO:nvk29miaY2pOXMS4fErymKUO
Score

10^/10

redline discovery evasion exploit infostealer spyware
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

redlinediscoveryevasionexploitinfostealerspyware

behavioral2

discoveryevasionexploit

© 2018-2024

Terms | Privacy