redline | 01ee39dcccaa4c07c5f561e68557c3bf316809c82f156a99d03a5ed55e510e96 | Triage

Sharing

General

Target

C4Loader.exe
Size

495KB
Sample

221116-kb7x2sdf8y
MD5

6ad201444bc392451ffdde0ac9c6249d
SHA1

789bf76655e304bc52698de43c553e902a494e1e
SHA256

01ee39dcccaa4c07c5f561e68557c3bf316809c82f156a99d03a5ed55e510e96
SHA512

c0c75b5476abf61f3986f54a2151e76632ad9ce7fcb844acbc9d19e47aa92397c4208bf62a85d2578b2991e8cb591c023a3c8550aa59f1ba401ff69b82fb8ad8
SSDEEP

12288:65z183Z0RwnuD9VHG5m6b+5rPuAaX5nKr3:sG0qm6orY5nM

Score

10^/10

redline 1 evasion infostealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Targets

- Target
  
  C4Loader.exe
- Size
  
  495KB
- MD5
  
  6ad201444bc392451ffdde0ac9c6249d
- SHA1
  
  789bf76655e304bc52698de43c553e902a494e1e
- SHA256
  
  01ee39dcccaa4c07c5f561e68557c3bf316809c82f156a99d03a5ed55e510e96
- SHA512
  
  c0c75b5476abf61f3986f54a2151e76632ad9ce7fcb844acbc9d19e47aa92397c4208bf62a85d2578b2991e8cb591c023a3c8550aa59f1ba401ff69b82fb8ad8
- SSDEEP
  
  12288:65z183Z0RwnuD9VHG5m6b+5rPuAaX5nKr3:sG0qm6orY5nM
Score

10^/10

redline 1 evasion infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Impair Defenses

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

redline1evasioninfostealer