redline

General

Target

5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204
Size

5.6MB
Sample

221018-pbdresgabr
MD5

4150f5451a5a36988ba3ea58680e38b5
SHA1

a8baf514a9c9d1ee1702505e5bb7c6a9bf1f6edf
SHA256

5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204
SHA512

ebeca4bd553aecc06207f7ce79cbd283dff7ffb2e37ec86f10bfef25396130999a8d002cc80b97c2be89f3a332bacfaa27d76728f6d3886b5e36a233f72a4a63
SSDEEP

98304:xJ4U0u0/kKdd7QPHgsRyrnnqTNPECnhgNwNCmsLQQLCgBDBrPSTnrbrX6K8X22pQ:xJykelxsRAqLgNwNCzJRVU3L8X2SNTz2

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

buildnewdomain3

C2

hrabrlonian.xyz:81

Attributes

auth_value
a3efc6defd0c20f4e41b9199dcafae6d

Targets

- Target
  
  5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204
- Size
  
  5.6MB
- MD5
  
  4150f5451a5a36988ba3ea58680e38b5
- SHA1
  
  a8baf514a9c9d1ee1702505e5bb7c6a9bf1f6edf
- SHA256
  
  5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204
- SHA512
  
  ebeca4bd553aecc06207f7ce79cbd283dff7ffb2e37ec86f10bfef25396130999a8d002cc80b97c2be89f3a332bacfaa27d76728f6d3886b5e36a233f72a4a63
- SSDEEP
  
  98304:xJ4U0u0/kKdd7QPHgsRyrnnqTNPECnhgNwNCmsLQQLCgBDBrPSTnrbrX6K8X22pQ:xJykelxsRAqLgNwNCzJRVU3L8X2SNTz2
Score

10^/10

redline buildnewdomain3 agilenet discovery infostealer spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2