redline | 94d9ec71d765987b11a7f3bbc5ab0c09fd607e74fe3a9d9abc2c1b53b40a0744 | Triage

Sharing

General

Target

94d9ec71d765987b11a7f3bbc5ab0c09fd607e74fe3a9d9abc2c1b53b40a0744
Size

308KB
Sample

220905-lfggbsefbq
MD5

42dcd9d15f8fd922b5c5b786d2129c40
SHA1

41e1cc3bff7af58708ea7512be6b308bfcee939f
SHA256

94d9ec71d765987b11a7f3bbc5ab0c09fd607e74fe3a9d9abc2c1b53b40a0744
SHA512

0a4ceec9b78c9052e437602f9786d7120d9746284995d4dbc95ee450439744ffb1633fe7ed527e923be3be9712861a6dd4c3e91ee886738969344ef6fcdeb0c4
SSDEEP

6144:tFVE4WG2I57ymtZxIGHi/oDYlcOIzgNlfig5OfYlqkp:lZ2y7ymzOu+hNln8k

Score

10^/10

redline lyllkal.05.09 mettop1 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

mettop1

C2

xoralessh.xyz:80

Attributes

auth_value
a8206072062ec5262484a012d246646b

Extracted

Family

redline

Botnet

Lyllkal.05.09

C2

185.215.113.216:21921

Attributes

auth_value
2df530f82cb4bd0f6bef5527a1d5de70

Targets

- Target
  
  94d9ec71d765987b11a7f3bbc5ab0c09fd607e74fe3a9d9abc2c1b53b40a0744
- Size
  
  308KB
- MD5
  
  42dcd9d15f8fd922b5c5b786d2129c40
- SHA1
  
  41e1cc3bff7af58708ea7512be6b308bfcee939f
- SHA256
  
  94d9ec71d765987b11a7f3bbc5ab0c09fd607e74fe3a9d9abc2c1b53b40a0744
- SHA512
  
  0a4ceec9b78c9052e437602f9786d7120d9746284995d4dbc95ee450439744ffb1633fe7ed527e923be3be9712861a6dd4c3e91ee886738969344ef6fcdeb0c4
- SSDEEP
  
  6144:tFVE4WG2I57ymtZxIGHi/oDYlcOIzgNlfig5OfYlqkp:lZ2y7ymzOu+hNln8k
Score

10^/10

redline lyllkal.05.09 mettop1 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinelyllkal.05.09mettop1discoveryinfostealerpersistencespywarestealer