redline | da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd | Triage

Submit
Reports

Overview

overview

Static

static

winprofile

windows7-x64

winprofile

windows10-1703-x64

Sharing

Copy URL Twitter E-mail

General

Target

da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd
Size

2.4MB
Sample

221101-nk3lgabde4
MD5

31fc2ff39a3c49638f6f650c509deb3f
SHA1

87657e08826225f2c7adbaf9bc2a0a9fc5fd7ccd
SHA256

da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd
SHA512

3294f6f13f2990ca3a1479914aba0ae1da9b3dfe354e37d30809023d66cf0a8f5558556b568c0a7e77fdae5576d35ec638ca7e8bcc7c3acd929db4e49b868dc1
SSDEEP

24576:DM3mEyYcY+lpbgwMAPlKUhqLmNugOhYNyO8BLBk5LkSrWDGIHNe+el3RuQ55313u:MmnkmUO8BLBk5V3l3Q

Score

10^/10

redline evasion infostealer persistence spyware upx vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd.exe

Resource

win7-20220812-en

redline evasion infostealer persistence spyware upx

windows7-x64

25 signatures

300 seconds

Behavioral task

behavioral2

Sample

da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd.exe

Resource

win10-20220812-en

redline evasion infostealer spyware upx vmprotect

windows10-1703-x64

25 signatures

300 seconds

Malware Config

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes

auth_value
024d191501563555109913dcf3ada91c

Targets

- Target
  
  da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd
- Size
  
  2.4MB
- MD5
  
  31fc2ff39a3c49638f6f650c509deb3f
- SHA1
  
  87657e08826225f2c7adbaf9bc2a0a9fc5fd7ccd
- SHA256
  
  da7b16b948a62aaf5837f2a4efa59856b3c9b76da79df7b404b1011a99d460cd
- SHA512
  
  3294f6f13f2990ca3a1479914aba0ae1da9b3dfe354e37d30809023d66cf0a8f5558556b568c0a7e77fdae5576d35ec638ca7e8bcc7c3acd929db4e49b868dc1
- SSDEEP
  
  24576:DM3mEyYcY+lpbgwMAPlKUhqLmNugOhYNyO8BLBk5LkSrWDGIHNe+el3RuQ55313u:MmnkmUO8BLBk5V3l3Q
Score

10^/10

redline evasion infostealer persistence spyware upx vmprotect
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

redlineevasioninfostealerpersistencespywareupx

behavioral2

redlineevasioninfostealerspywareupxvmprotect

© 2018-2025

Terms | Privacy