redline | 41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f | Triage

Sharing

General

Target

file.exe
Size

266KB
Sample

220912-v3pkwshebj
MD5

542e377b7f62682e7fe65be4abea95cc
SHA1

e42976a4b7b5c4ffad3fdd9b7e7c054543255489
SHA256

41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f
SHA512

67b413b214c5aaa6f4658165bc8a40e2bcdf2bd85432385857a6e61a3bea4cb0eb95d94196dd19786e58662e4450fdc2fe8a6116c1147c0b28339f484d141fd3
SSDEEP

6144:27Q4DvBjzYmTs2D1wxcuLE80ZO0nLR9W:27Q4D54MZwxcuZ30nF9W

Score

10^/10

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

sep10as1

C2

185.215.113.122:15386

Attributes

auth_value
e45012eae57b2e57b34752fc802550c3

Extracted

Family

redline

Botnet

Lyla.11.09

C2

185.215.113.216:21921

Attributes

auth_value
a1e5192e588aa983d678ceb4d6e0d8b5

Targets

- Target
  
  file.exe
- Size
  
  266KB
- MD5
  
  542e377b7f62682e7fe65be4abea95cc
- SHA1
  
  e42976a4b7b5c4ffad3fdd9b7e7c054543255489
- SHA256
  
  41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f
- SHA512
  
  67b413b214c5aaa6f4658165bc8a40e2bcdf2bd85432385857a6e61a3bea4cb0eb95d94196dd19786e58662e4450fdc2fe8a6116c1147c0b28339f484d141fd3
- SSDEEP
  
  6144:27Q4DvBjzYmTs2D1wxcuLE80ZO0nLR9W:27Q4D54MZwxcuZ30nF9W
Score

10^/10

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

redlinelyla.11.09sep10as1discoveryinfostealerpersistencespywarestealer