redline | 41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f
Size

266KB
Sample

220912-xd8ctadhc4
MD5

542e377b7f62682e7fe65be4abea95cc
SHA1

e42976a4b7b5c4ffad3fdd9b7e7c054543255489
SHA256

41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f
SHA512

67b413b214c5aaa6f4658165bc8a40e2bcdf2bd85432385857a6e61a3bea4cb0eb95d94196dd19786e58662e4450fdc2fe8a6116c1147c0b28339f484d141fd3
SSDEEP

6144:27Q4DvBjzYmTs2D1wxcuLE80ZO0nLR9W:27Q4D54MZwxcuZ30nF9W

Score

10^/10

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f.exe

Resource

win10-20220812-en

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer

windows10-1703-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

sep10as1

C2

185.215.113.122:15386

Attributes

auth_value
e45012eae57b2e57b34752fc802550c3

Extracted

Family

redline

Botnet

Lyla.11.09

C2

185.215.113.216:21921

Attributes

auth_value
a1e5192e588aa983d678ceb4d6e0d8b5

Targets

- Target
  
  41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f
- Size
  
  266KB
- MD5
  
  542e377b7f62682e7fe65be4abea95cc
- SHA1
  
  e42976a4b7b5c4ffad3fdd9b7e7c054543255489
- SHA256
  
  41ab80747568556afc3efa5177acf7ea124db76ab4bdc1fd5fdb4424ab3a1a9f
- SHA512
  
  67b413b214c5aaa6f4658165bc8a40e2bcdf2bd85432385857a6e61a3bea4cb0eb95d94196dd19786e58662e4450fdc2fe8a6116c1147c0b28339f484d141fd3
- SSDEEP
  
  6144:27Q4DvBjzYmTs2D1wxcuLE80ZO0nLR9W:27Q4D54MZwxcuZ30nF9W
Score

10^/10

redline lyla.11.09 sep10as1 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinelyla.11.09sep10as1discoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy