redline | f460aba4130701652e226e6059f5501065b6e6673ffb72aea0a1918af1c6a922 | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

5

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

271KB
Sample

220912-jxn7dsgfbm
MD5

aee6c62d6b368930e67f0cab675f82db
SHA1

1c17f6a80effc740363e8fdb8812ffa10c9ef0f4
SHA256

f460aba4130701652e226e6059f5501065b6e6673ffb72aea0a1918af1c6a922
SHA512

983e4bc53dc66cfc532bb1c983617f3d94b279871028da6610dc6b315892b30fd5c5231dff1c7d09f9500786cac49c46a4832d4faa4df32e6ed37794f6093f6c
SSDEEP

3072:XJfnJtoWhBBjzo/BcIWfDQ5V8undnwwqVazrQl7Sv7T2FGVnxylCK1:Z0cBjzQB3WfDQ5Vvdfkl7Gv6GVxyss

Score

10^/10

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220812-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20220812-en

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

sep10as1

C2

185.215.113.122:15386

Attributes

auth_value
e45012eae57b2e57b34752fc802550c3

Extracted

Family

redline

Botnet

Lyla.11.09

C2

185.215.113.216:21921

Attributes

auth_value
a1e5192e588aa983d678ceb4d6e0d8b5

Targets

- Target
  
  file.exe
- Size
  
  271KB
- MD5
  
  aee6c62d6b368930e67f0cab675f82db
- SHA1
  
  1c17f6a80effc740363e8fdb8812ffa10c9ef0f4
- SHA256
  
  f460aba4130701652e226e6059f5501065b6e6673ffb72aea0a1918af1c6a922
- SHA512
  
  983e4bc53dc66cfc532bb1c983617f3d94b279871028da6610dc6b315892b30fd5c5231dff1c7d09f9500786cac49c46a4832d4faa4df32e6ed37794f6093f6c
- SSDEEP
  
  3072:XJfnJtoWhBBjzo/BcIWfDQ5V8undnwwqVazrQl7Sv7T2FGVnxylCK1:Z0cBjzQB3WfDQ5Vvdfkl7Gv6GVxyss
Score

10^/10

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

redlinelyla.11.09sep10as1discoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy