redline | 1702558a8ae1cda0af628944914cf12a6dc360092b67395779e90450dd1bf64d | Triage

Submit
Reports

Overview

overview

Static

static

07e1352f0f...a3.exe

windows7-x64

07e1352f0f...a3.exe

windows10-2004-x64

Sharing

General

Target

07e1352f0ff87e2a0848c543f0c084a3.exe
Size

1.3MB
Sample

220925-aygn9sdhdl
MD5

07e1352f0ff87e2a0848c543f0c084a3
SHA1

bc09be07ccd2664470585617ac2e8897a668c925
SHA256

1702558a8ae1cda0af628944914cf12a6dc360092b67395779e90450dd1bf64d
SHA512

6ec4aadcc10f24ac8a4b7b068d40ea2763835fc882114599a7080ef18af9f2836081a0cd3aa7fac39e772faca6c39c5ad3821262387bae5e45121252dccb5527
SSDEEP

24576:CymzerONUyCuIXr3pQBfzuMSmZD0hy91zuvNrkuC3b4ZoAnVZ3dUyU:pL4+eBLu9mZYkfzuVwcmaVJyy

Score

10^/10

redline wshrat explorer infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

07e1352f0ff87e2a0848c543f0c084a3.exe

Resource

win7-20220812-en

redline wshrat explorer infostealer persistence trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

07e1352f0ff87e2a0848c543f0c084a3.exe

Resource

win10v2004-20220901-en

redline wshrat explorer infostealer persistence trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

explorer

C2

159.223.57.212:8294

Targets

- Target
  
  07e1352f0ff87e2a0848c543f0c084a3.exe
- Size
  
  1.3MB
- MD5
  
  07e1352f0ff87e2a0848c543f0c084a3
- SHA1
  
  bc09be07ccd2664470585617ac2e8897a668c925
- SHA256
  
  1702558a8ae1cda0af628944914cf12a6dc360092b67395779e90450dd1bf64d
- SHA512
  
  6ec4aadcc10f24ac8a4b7b068d40ea2763835fc882114599a7080ef18af9f2836081a0cd3aa7fac39e772faca6c39c5ad3821262387bae5e45121252dccb5527
- SSDEEP
  
  24576:CymzerONUyCuIXr3pQBfzuMSmZD0hy91zuvNrkuC3b4ZoAnVZ3dUyU:pL4+eBLu9mZYkfzuVwcmaVJyy
Score

10^/10

redline wshrat explorer infostealer persistence trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinewshratexplorerinfostealerpersistencetrojan

behavioral2

redlinewshratexplorerinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy