redline

Resubmissions

18/10/2022, 04:32

221018-e51g6seeb8 10

18/10/2022, 04:06

221018-epj59aedd6 7

18/10/2022, 03:34

221018-d417mseefj 10

Sharing

Copy URL

Twitter E-mail

General

Target

be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
Size

521KB
Sample

221018-d417mseefj
MD5

c0318aa61a314fed79c87be28f0db3ba
SHA1

361e5206d2e0aeb88174c524e6c7cfb90c94670d
SHA256

be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
SHA512

619ad72faaa694d7dd141288c8f99738d3110fb2e08ea9a5feda3777d4d32456feca66a2e0da96a0610f475e358cb9bb99fc54a179fb98674f91cb205ff7a586
SSDEEP

12288:bjNYGB77lC5eQoyLKWRIvwr222Zy+CQI1Cr2H:bjN99J2eOWF22ZaTe

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

BirjRo1

79.137.197.136:23532

Attributes

auth_value
278e5c62cf6a9bb4e0ab732b17b0368e

Targets

- Target
  
  be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
- Size
  
  521KB
- MD5
  
  c0318aa61a314fed79c87be28f0db3ba
- SHA1
  
  361e5206d2e0aeb88174c524e6c7cfb90c94670d
- SHA256
  
  be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
- SHA512
  
  619ad72faaa694d7dd141288c8f99738d3110fb2e08ea9a5feda3777d4d32456feca66a2e0da96a0610f475e358cb9bb99fc54a179fb98674f91cb205ff7a586
- SSDEEP
  
  12288:bjNYGB77lC5eQoyLKWRIvwr222Zy+CQI1Cr2H:bjN99J2eOWF22ZaTe
Score

10^/10

redline birjro1 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Modifies WinLogon
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Sets DLL path for service in the registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Modifies WinLogon

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2