Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    361KB

  • Sample

    220910-y6pa3safb2

  • MD5

    d84842f7912d62c8e9f44c8a11cb3cc0

  • SHA1

    2e42c24f7e4b5917664621deea56a2646497a3ce

  • SHA256

    c31382b24d3f3ed0cf2873aeb3bc2510ca7869a1ff64a55b48ccf8a7145b9493

  • SHA512

    772f9e6cf0dd5970c58212fddfb2e214582472ee21a28855700bec714d71b07d8ab66a7ef681b1b6b3c35958b76be01f6bb110d9b0a9c5b716a6a6f82defb4cd

  • SSDEEP

    6144:LoKpw8+J7IA2IWkKUpJFEtNDqO1fa5maeB7QtG9Pvn277hnlTpYGIrQ2+gFlA:Ly7oIWwpAb7i5maeB7QtG9Pvn277hnl/

Score
10/10
redline4discoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

4

C2

79.110.62.196:26277

Attributes
  • auth_value

    e48cb0b64e920bb1a534eba5b2912707

Targets

    • Target

      file.exe

    • Size

      361KB

    • MD5

      d84842f7912d62c8e9f44c8a11cb3cc0

    • SHA1

      2e42c24f7e4b5917664621deea56a2646497a3ce

    • SHA256

      c31382b24d3f3ed0cf2873aeb3bc2510ca7869a1ff64a55b48ccf8a7145b9493

    • SHA512

      772f9e6cf0dd5970c58212fddfb2e214582472ee21a28855700bec714d71b07d8ab66a7ef681b1b6b3c35958b76be01f6bb110d9b0a9c5b716a6a6f82defb4cd

    • SSDEEP

      6144:LoKpw8+J7IA2IWkKUpJFEtNDqO1fa5maeB7QtG9Pvn277hnlTpYGIrQ2+gFlA:Ly7oIWwpAb7i5maeB7QtG9Pvn277hnl/

    Score
    10/10
    redline4discoveryevasioninfostealerspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks