redline | d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

66721704fc...4d.exe

windows7-x64

66721704fc...4d.exe

windows10-2004-x64

Sharing

General

Target

66721704fcb230df0479066c961b704d.exe
Size

1.3MB
Sample

221029-3lj8vacebn
MD5

66721704fcb230df0479066c961b704d
SHA1

06846af0ac608f14177c26cb3c15bf2a028a736e
SHA256

d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31
SHA512

9b05d40c8f11dc360473cf072bd9d79642cd27cf9d37b43a878c7228093c4a7fc92da1633492e5495be88c29cb0c2051f93ddf4633478db04570400cd853e4ff
SSDEEP

24576:mpRkyTKA1eBSjvjmviCWYoa19btJGnjPGcoielIYACCSFAsnCE:BU5ex6zxa19btJGnrguYAERC

Score

10^/10

redline @ebaniynoyname infostealer persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

66721704fcb230df0479066c961b704d.exe

Resource

win7-20220812-en

redline @ebaniynoyname infostealer spyware

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

66721704fcb230df0479066c961b704d.exe

Resource

win10v2004-20220901-en

redline @ebaniynoyname infostealer persistence spyware

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@EBANIYNOYNAME

C2

82.115.223.162:26393

Attributes

auth_value
3517499b9df589c8c64f775931cb7b6d

Targets

- Target
  
  66721704fcb230df0479066c961b704d.exe
- Size
  
  1.3MB
- MD5
  
  66721704fcb230df0479066c961b704d
- SHA1
  
  06846af0ac608f14177c26cb3c15bf2a028a736e
- SHA256
  
  d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31
- SHA512
  
  9b05d40c8f11dc360473cf072bd9d79642cd27cf9d37b43a878c7228093c4a7fc92da1633492e5495be88c29cb0c2051f93ddf4633478db04570400cd853e4ff
- SSDEEP
  
  24576:mpRkyTKA1eBSjvjmviCWYoa19btJGnjPGcoielIYACCSFAsnCE:BU5ex6zxa19btJGnrguYAERC
Score

10^/10

redline @ebaniynoyname infostealer spyware persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redline@ebaniynoynameinfostealerspyware

behavioral2

redline@ebaniynoynameinfostealerpersistencespyware

© 2018-2025

Terms | Privacy