redline

Sharing

Copy URL

Twitter E-mail

General

Target

Launcher.zip
Size

4KB
Sample

221014-py5hnadea5
MD5

605e7a0b57cfa97c820015b38861a6ae
SHA1

abe5bca85c0108a69fa95e6aa94ccc7fb1580fff
SHA256

36c3824bee3a74e57b85384363df0c51bd36b6bf8f965d1ae09303fdb58cd382
SHA512

16bc7792d0f2ced275ec5ecc90c5992ef00f34a82951e0e04bec59aa56793d740d1bbc57b81a3f215ef9deecfe4a757f278d437933a670b2be1c8ede8ae9bc95
SSDEEP

96:du78u0EBrH/D4B2GnpZmQdr6z137cH9cG/6QM2:uRjB3oTpgQdrimiQM2

Score

10^/10

redline @moriwws h infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

@moriwWs

litrazalilibe.xyz:81

Attributes

auth_value
c2f987b4e6cd55ad1315311e92563eca

Extracted

Family

redline

185.186.142.127:17355

Attributes

auth_value
2d7be1ed915f7e5f91af0977d4175cb7

Extracted

Family

redline

Botnet

185.106.92.139:16578

Attributes

auth_value
d5aafe5ab67bae4a3f7cda3b2e30f9b7

Targets

- Target
  
  Launcher.zip
- Size
  
  4KB
- MD5
  
  605e7a0b57cfa97c820015b38861a6ae
- SHA1
  
  abe5bca85c0108a69fa95e6aa94ccc7fb1580fff
- SHA256
  
  36c3824bee3a74e57b85384363df0c51bd36b6bf8f965d1ae09303fdb58cd382
- SHA512
  
  16bc7792d0f2ced275ec5ecc90c5992ef00f34a82951e0e04bec59aa56793d740d1bbc57b81a3f215ef9deecfe4a757f278d437933a670b2be1c8ede8ae9bc95
- SSDEEP
  
  96:du78u0EBrH/D4B2GnpZmQdr6z137cH9cG/6QM2:uRjB3oTpgQdrimiQM2
Score

1^/10
behavioral1 behavioral2
- Target
  
  Launcher/INFO.txt
- Size
  
  3KB
- MD5
  
  ff5a8524d68dfeaa43817dd615fc978b
- SHA1
  
  d3e777906f9c8ef420a16dcea4df1b79bbdc9a45
- SHA256
  
  a17ed8a04c68bc3de4cc996feaf103babf9e2bd77f11af281d0fdaaa8075b994
- SHA512
  
  f3bbf7d83ce72d682f81b434a02a62018054c52426eff25ba2c513e0dafaaacd63bf2cb2714106453e2fee659354d38b17f6c6f3442d4779fe357e0c4677fc6d
Score

1^/10
behavioral3 behavioral4
- Target
  
  Launcher/Opener.bat
- Size
  
  2KB
- MD5
  
  8092113dbaa8ee234de6ee8039b7db66
- SHA1
  
  6cdb65dd9e6aaa54a82ff3ac10e1b9b40bfc8e39
- SHA256
  
  576e869202da1137de261ed1519ad0487331a69db5890b0746b5bf4d310d3992
- SHA512
  
  badfd71b652f9a3c91c690269e0ef36496998614a0d7c30bbbed8bebb163bac5590fed3188ae907829536cb96a008299ad63d6950ebb9623f927877f89197754
Score

10^/10

redline @moriwws h infostealer persistence spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Launcher/zzen.dll
- Size
  
  1KB
- MD5
  
  9a9927c76bf5cb5d9bb169ff194d00c3
- SHA1
  
  b9d8ac8b972e79e64d4b86a286ea91bfa58f3c16
- SHA256
  
  9c545fe8f7cfb23deeba66742d404f40476b07df7c5dc0c19bb25b80da670be6
- SHA512
  
  266319dde44d695eb4bd2c0d96b3fbe46e1705139e48740ea6a457b5de2ddf8eda4f1e84e6e2ebaea0c4969492aab5e918296e6e6260dce08f22acbbe14df1db
Score

1^/10
behavioral7 behavioral8
- Target
  
  bypasser
- Size
  
  284B
- MD5
  
  750d2d6e6d90d6ee0cbd3c28e2707a8c
- SHA1
  
  d5ded609bdd6bf159f933bdc2fb0dd35f9025a45
- SHA256
  
  f474dc2ec8e6751f98af5d622c9aa45198c82f92974c586e90dd965b4e34d4d9
- SHA512
  
  3c9a625a2bdcb5dfbe1c39f21f5264632875fc4998bcdadd4e1ec93d8b7431c11c58ddba873cfa0b684169b7b71856fa3ecf30eb0e3fbccd4105c70ffcdef16f
Score

1^/10
behavioral9 behavioral10
- Target
  
  gpasser.cmd
- Size
  
  1001B
- MD5
  
  2383324af89f82aa98bb362b0e91f0fc
- SHA1
  
  7f3d00c4294b9e4a3a0ea0ebe20715f72e771e64
- SHA256
  
  5c0e11041b868a1d066e8bb8d938ba4f567891d5753321d0f70a8b2ca0371585
- SHA512
  
  c673f86c5fa55388e72584f9d234e8ab64a918092d470bb73cd7f0f38226808bd75aeb0e014b9f7077538a546a4f2a52317f95c4414b16e66e8788b25388300b
Score

1^/10
behavioral11 behavioral12
- Target
  
  ks.avi
- Size
  
  1KB
- MD5
  
  f0c204bc611408d8df61ad55b780cc93
- SHA1
  
  59247bf13acae45fffe83101baa6dd2ce8f4decc
- SHA256
  
  62042952515a52cf38f41b2e5e8f3ab59fc690f9a42658720bff56507ab2add2
- SHA512
  
  4903874af4067763bef67c32d0da1fe60990b266c850aee5684b9bc8e9d5e7869ac6bb9ba812b2e6f450673c24ebb46e14547ff283b4cb31b114ee36b7dfb356
Score

1^/10
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

RedLine payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14