redline | 391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

1.7MB
Sample

221008-ykhamsfeek
MD5

7d2177241b4fa57a9e3e6de208875025
SHA1

b8c1d3171e82de04821ff213bd298c368c4c0b0f
SHA256

391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017
SHA512

b3071a54f6c94085be43e5093c0acb62c12dbe8d6ccfeb474e46741e255c6aec3c2e8f8bf9b2380791fee33feda75d4540bdbfc17da9bb040ea47e797b276f5a
SSDEEP

49152:Vz/r2pelcD7gxpL4zMdZYkuFUFeDsHpWkIxXBR0:Vz/r2olcWL4zcD4TR

Score

10^/10

redline @moriwws h infostealer persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220812-en

redline @moriwws infostealer spyware

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220812-en

redline @moriwws h infostealer persistence spyware

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@moriwWs

C2

litrazalilibe.xyz:81

Attributes

auth_value
c2f987b4e6cd55ad1315311e92563eca

Extracted

Family

redline

C2

185.186.142.127:17355

Attributes

auth_value
2d7be1ed915f7e5f91af0977d4175cb7

Extracted

Family

redline

Botnet

h

C2

185.106.92.139:16578

Attributes

auth_value
d5aafe5ab67bae4a3f7cda3b2e30f9b7

Targets

- Target
  
  tmp
- Size
  
  1.7MB
- MD5
  
  7d2177241b4fa57a9e3e6de208875025
- SHA1
  
  b8c1d3171e82de04821ff213bd298c368c4c0b0f
- SHA256
  
  391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017
- SHA512
  
  b3071a54f6c94085be43e5093c0acb62c12dbe8d6ccfeb474e46741e255c6aec3c2e8f8bf9b2380791fee33feda75d4540bdbfc17da9bb040ea47e797b276f5a
- SSDEEP
  
  49152:Vz/r2pelcD7gxpL4zMdZYkuFUFeDsHpWkIxXBR0:Vz/r2olcWL4zcD4TR
Score

10^/10

redline @moriwws infostealer spyware h persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redline@moriwwsinfostealerspyware

behavioral2

redline@moriwwshinfostealerpersistencespyware

© 2018-2024

Terms | Privacy