redline | 3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cd8e811de64b5ac8fd4fdbc0aef185b8.exe
Size

1.3MB
Sample

221025-12cslaeab9
MD5

cd8e811de64b5ac8fd4fdbc0aef185b8
SHA1

4a2ddbdb8334e0c6aaf41a6bf7f4f0fee4f5ff9f
SHA256

3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141
SHA512

7c153910134b7033480d15797917fc8b0b4b97439e41c2c5c637ceae6e5b48c91641097498ef39666f7e232cdbd3c8b6d8dd565b627ce2ee6effe6c8aff00c4d
SSDEEP

24576:IVo7uE0Oab8xook2OoYQYzzK52QbgWC3yNaarmNZS8hDpAj+5ugpUPiSrcw84obs:WMOJAfPVvtTeRdZEHQJfQuB

Score

10^/10

redline @twister discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@twister

C2

82.115.223.56:39447

Attributes

auth_value
ebf5cafd80021ba96c31d3833dbb9d24

Targets

- Target
  
  cd8e811de64b5ac8fd4fdbc0aef185b8.exe
- Size
  
  1.3MB
- MD5
  
  cd8e811de64b5ac8fd4fdbc0aef185b8
- SHA1
  
  4a2ddbdb8334e0c6aaf41a6bf7f4f0fee4f5ff9f
- SHA256
  
  3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141
- SHA512
  
  7c153910134b7033480d15797917fc8b0b4b97439e41c2c5c637ceae6e5b48c91641097498ef39666f7e232cdbd3c8b6d8dd565b627ce2ee6effe6c8aff00c4d
- SSDEEP
  
  24576:IVo7uE0Oab8xook2OoYQYzzK52QbgWC3yNaarmNZS8hDpAj+5ugpUPiSrcw84obs:WMOJAfPVvtTeRdZEHQJfQuB
Score

10^/10

redline @twister discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redline@twisterdiscoveryinfostealerspywarestealer

behavioral2

discoveryspywarestealer