redline

General

Target

660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42
Size

7.2MB
Sample

221031-qrvkjsbae2
MD5

971bda1afde3df57ec466d5b345bfd74
SHA1

5d4a8aa30bf13921ba9406917ecc048bdc3a796c
SHA256

660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42
SHA512

b0f50f4268042e44200a413a91439ca06ef2701d99d4e4fd03a0f8a1379342273fd4d9f600ad3d3dce6cd714cbff9fd8feb46b6f39aa6af567b3c88130d10763
SSDEEP

196608:dS6dQmRrdA6lakaqdVTiZQ8OJYlR8eNyDqo:JdQOlawd6Q8OalRZ2r

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

3.0.0.1

C2

195.133.46.152:30098

Attributes

auth_value
b61fcbd1f87b475d1753fe6411f2847a

Targets

- Target
  
  660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42
- Size
  
  7.2MB
- MD5
  
  971bda1afde3df57ec466d5b345bfd74
- SHA1
  
  5d4a8aa30bf13921ba9406917ecc048bdc3a796c
- SHA256
  
  660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42
- SHA512
  
  b0f50f4268042e44200a413a91439ca06ef2701d99d4e4fd03a0f8a1379342273fd4d9f600ad3d3dce6cd714cbff9fd8feb46b6f39aa6af567b3c88130d10763
- SSDEEP
  
  196608:dS6dQmRrdA6lakaqdVTiZQ8OJYlR8eNyDqo:JdQOlawd6Q8OalRZ2r
Score

10^/10

redline 3.0.0.1 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2