redline | 4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d | Triage

Submit
Reports

Overview

overview

Static

static

Setup2.exe

windows7-x64

Setup2.exe

windows10-2004-x64

Sharing

General

Target

Setup2.exe
Size

4.5MB
Sample

220830-qyhvbsbbg6
MD5

7ede5e1864c423c59a1cb3bdcd7cc939
SHA1

f34f722ed04615441656ccef087e7b982ae09af9
SHA256

4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d
SHA512

47350800da01d48c6c5ae1a7132bb3f9ed1a247fefbd153b4ec890fd1946a5812ae901f18b775dcc30deeb61e712f42436fcee1ba642ed1b8086517b81c9c95b
SSDEEP

98304:dN1vJXa7MqmTWoYNag+r2UFKl2PjXvp0rcqh2MqnPs17EwoIsuimtRc:dLJXa7WTZrjPjxCh8M7VoJuicRc

Score

10^/10

redline discovery evasion exploit infostealer spyware

Static task

static1

Behavioral task

behavioral1

Sample

Setup2.exe

Resource

win7-20220812-en

redline discovery evasion exploit infostealer spyware

windows7-x64

28 signatures

150 seconds

Behavioral task

behavioral2

Sample

Setup2.exe

Resource

win10v2004-20220812-en

discovery evasion exploit

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

redline

C2

185.200.191.18:80

Attributes

auth_value
a11ae941038a2a4398d552996dbd03f1

Targets

- Target
  
  Setup2.exe
- Size
  
  4.5MB
- MD5
  
  7ede5e1864c423c59a1cb3bdcd7cc939
- SHA1
  
  f34f722ed04615441656ccef087e7b982ae09af9
- SHA256
  
  4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d
- SHA512
  
  47350800da01d48c6c5ae1a7132bb3f9ed1a247fefbd153b4ec890fd1946a5812ae901f18b775dcc30deeb61e712f42436fcee1ba642ed1b8086517b81c9c95b
- SSDEEP
  
  98304:dN1vJXa7MqmTWoYNag+r2UFKl2PjXvp0rcqh2MqnPs17EwoIsuimtRc:dLJXa7WTZrjPjxCh8M7VoJuicRc
Score

10^/10

redline discovery evasion exploit infostealer spyware
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

File Permissions Modification

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Tasks

static1

behavioral1

redlinediscoveryevasionexploitinfostealerspyware

behavioral2

discoveryevasionexploit

© 2018-2024

Terms | Privacy