redline | a2766924130f9f5c19eeee078f29d1073c89734cb570775f67d70a95ef6dea1d | Triage

Resubmissions

26-11-2022 03:27

221126-dzv5tshc68 7

26-11-2022 03:23

221126-dxxwmscd6w 10

Sharing

General

Target

Sоnic_Frоntiеrs_Sеtuр.rar
Size

6.1MB
Sample

221126-dxxwmscd6w
MD5

472f13bd6d30e22b128380007de2bb0b
SHA1

f01a0b725e76bdc5d081c5b1403bea96d4abcf2c
SHA256

a2766924130f9f5c19eeee078f29d1073c89734cb570775f67d70a95ef6dea1d
SHA512

a96af20fd676ea87ed74f86d2375582be8ba26539c3ca69c2bd079e5727891263c8d5af18ee12cabbfb4520e11099539d601d7bd6967d9795f68b069c7182e34
SSDEEP

196608:UWf6ASP/zOCeSRMHIdK0zlll4Zj9fBLwJbFZ:cASP7JeSRMIdK0rl4ZRfBwJ

Score

10^/10

redline @cham1ng infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@cham1ng

C2

193.106.191.160:8673

Attributes

auth_value
296c18e34d670ae41d67c9e09e2546b7

Targets

- Target
  
  Sоnic Frоntiеrs Sеtuр/CoreFoundation.resources/Info.plist
- Size
  
  1KB
- MD5
  
  5596ffca74c5aace74655135b7cbdef5
- SHA1
  
  062b0eeb23e8bd5841afc93681db96dc5c5168c9
- SHA256
  
  2d4a9e1a4b85dfc33b0393fe0a24f838f9d91771977a430d046d910227fc4935
- SHA512
  
  27b5bd9416296a16557d6b64ebff3d4ae99065038fd4e5082af1955737e4127b95b5089aa72eb8139d73a43f2f2b9c64a44c9e1fe6754914ebad2760ce06e3f1
Score

1^/10
behavioral1 behavioral2
- Target
  
  Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/AVAssetExportPresets.plist
- Size
  
  90KB
- MD5
  
  dceae93ac31c07194213df45c1ec6e52
- SHA1
  
  fe2ef746c9d20a8302b78e6af25601865c3fabb3
- SHA256
  
  7589ba6518e70636f8d3983704d8218ff4496faf006e02fc1a8f9bb13689036a
- SHA512
  
  74becd068a96c36f095486a963d9e571c4747ab34ebca71c0cbd1b1eed0a63253e9b18b369abbef62ac420f6909c19696a8bd2ecf4d7ae622141118cd6bbd28a
- SSDEEP
  
  1536:T7Zsg7DGrddEa+7+NRmzAZmklvA9q8uBXFOmogo3jPwFQBvVS/+O/Q/h2/b/XcrK:S
Score

1^/10
behavioral3 behavioral4
- Target
  
  Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/AVExportBitRate.plist
- Size
  
  13KB
- MD5
  
  bac154c89a2528f138f3e8df54f08596
- SHA1
  
  27cbe4dbce5c6e5fc65c18faeb89f883db321e83
- SHA256
  
  35e8c1eccc3bad0fae187b2fcc505b9324de8d23d6faaf1dad67e137e56ec804
- SHA512
  
  fa67a5892441cb71a266b06f99af1ecf401b9da3807d6be42d15d12f6ac6e1702cabc8ca476821f1cf4d328dfe97bc05c49ab5f754b4e0aac609236912008fa1
- SSDEEP
  
  192:X+ik5VUEoWKAFPGYwo0kmq4YL8fbKA1ribKAhG6EoWvz+qY2GlGdpqUwz1jQNoOj:NG9s
Score

7^/10
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral5 behavioral6
- Target
  
  Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/Info.plist
- Size
  
  850B
- MD5
  
  6db12b4fc294da06c67f3da1e1e4f71a
- SHA1
  
  54f018577999af58738b55866e447129e0b3508d
- SHA256
  
  8f1ae2fd98861f82d4625fdc22a0bf233a777ce7b0780c14637591534000e287
- SHA512
  
  e3467d1fcc6e361e6f00d549c084783822b704ea2f8464a43310cae5f96376d902d56fea15d66cd00a6f5d4287f6bf0a20cfb744a40f33a4542dd30a9a6cd263
Score

7^/10
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral7 behavioral8
- Target
  
  Sоnic Frоntiеrs Sеtuр/CoreText.resources/DefaultFontFallbacks.plist
- Size
  
  10KB
- MD5
  
  19d598c63424bc66845be5810d034ec1
- SHA1
  
  95ee46caa313e41db312cf9d3980ca75f70f3952
- SHA256
  
  2180713c84a6fccbba6903482cc289c0024f0b45735593d109592a4355802f9a
- SHA512
  
  a5e4554c35edd00ee7961c2631091ff9a3ad1990b9164ae75fe7462d813acb6b21f7d4351ab8701a551c949cae17ff65f88a50a650ea5f0603a7dd66ea18471f
- SSDEEP
  
  192:IsdVqoSJWO21IjQRS/2Og1QZQoYj2Og1Q0oeoYj2Og1QqoYc2Og1QaoYc2Og1Q8:Fr0b/wH24vV
Score

7^/10
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral10 behavioral9
- Target
  
  Sоnic Frоntiеrs Sеtuр/CoreText.resources/Info.plist
- Size
  
  1KB
- MD5
  
  c278fec706efa5d99dd2f84e3a588376
- SHA1
  
  d964cfa33d7941f80ff9cf5c3ae42a3e925fb710
- SHA256
  
  5d260a252fec8f0ea328bf6df575c40439a355a79bed692b16b1de0bdb41b457
- SHA512
  
  265b897b24e1b0593c9334bda520eb6c9047879f3550b232f55059d440bba55e55bbfdf6326faf4840d5a523655ec7840416e8bc65038695a302e7f160fb8217
Score

1^/10
behavioral11 behavioral12
- Target
  
  Sоnic Frоntiеrs Sеtuр/Foundation.resources/Info.plist
- Size
  
  748B
- MD5
  
  69b3130ce593f0ca98a4cfeddd3ef941
- SHA1
  
  2fc7757dfd5cfc313adab9626816a13a69fb3104
- SHA256
  
  8e8eb5aae32ba9e37c6c2c2b0312fa33347333072e3fbe11f7f3903955859560
- SHA512
  
  7c6348d957d2f41aea9ee7001758cc4b04ab8efc68916f9182ff864ed27e142afa6aad3121fef25bb5c28645f4faeccbfbf290dcf8b9cb305aa05118bcd96312
Score

1^/10
behavioral13 behavioral14
- Target
  
  Sоnic Frоntiеrs Sеtuр/Sоnic Frоntiеrs Sеtuр.exe
- Size
  
  763.6MB
- MD5
  
  1c3cf682c253a5a931a7de2e4be5e67e
- SHA1
  
  73ac7ba407fc95d0b7121eb0e9499dfbdf3ccdbc
- SHA256
  
  0ac69838b494dae7b4f64531ad20068d3b66b193858bbf1b4bfcb4e19417714a
- SHA512
  
  9ed28350ade2b5f07e8efb561563223115527e37c8e656e824fe800bbd99fe4395bc2e76e6441341fe11b8480aed9c72501a1e6bec0cd62b027a73d254816c98
- SSDEEP
  
  98304:lrl9Mjm6TJse6CiowYIHYLBlrqTaXEV/61IujIAnNu/ppEPlYMr:Nl9Km6TJH6TYI8BlrOki/d7AnmgPlB
Score

10^/10

redline @cham1ng infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

redline@cham1nginfostealerspyware

behavioral16

redline@cham1nginfostealerspyware