redline | 2f71c2aca595dca2830cd5ecb4927e3a5f8502637929ca874165ccf1997f896f | Triage

Submit
Reports

Overview

overview

Static

static

Attachment.js

windows7-x64

Attachment.js

windows10-2004-x64

Sharing

General

Target

Attachment.js
Size

16KB
Sample

221129-l7lkcshf67
MD5

a5e53490de507ad38f48feb3944ea8f1
SHA1

db5d2cb363c4bcb8ed2406cb3ba7328fae62aece
SHA256

2f71c2aca595dca2830cd5ecb4927e3a5f8502637929ca874165ccf1997f896f
SHA512

381419f42b75dc4149c1b9a10bf414ff9599290c949280e34c2c4e347af3a514aefa284670a177dcf997b693115e4cfe5ccc9e8fd97c977930a3bc112ba41a97
SSDEEP

384:NKmR3PfU2qCzuB01e8WuheOaEo/DuQy4W3KieZaEqO3aLfxk3l:NKmFf5xDJcOO6QoRCqO39

Score

10^/10

redline vjw0rm app discovery infostealer spyware stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

Attachment.js

Resource

win7-20220812-en

redline vjw0rm app discovery infostealer spyware stealer trojan worm

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

Attachment.js

Resource

win10v2004-20221111-en

vjw0rm trojan worm

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

APP

C2

37.139.128.51:53092

Targets

- Target
  
  Attachment.js
- Size
  
  16KB
- MD5
  
  a5e53490de507ad38f48feb3944ea8f1
- SHA1
  
  db5d2cb363c4bcb8ed2406cb3ba7328fae62aece
- SHA256
  
  2f71c2aca595dca2830cd5ecb4927e3a5f8502637929ca874165ccf1997f896f
- SHA512
  
  381419f42b75dc4149c1b9a10bf414ff9599290c949280e34c2c4e347af3a514aefa284670a177dcf997b693115e4cfe5ccc9e8fd97c977930a3bc112ba41a97
- SSDEEP
  
  384:NKmR3PfU2qCzuB01e8WuheOaEo/DuQy4W3KieZaEqO3aLfxk3l:NKmFf5xDJcOO6QoRCqO39
Score

10^/10

redline vjw0rm app discovery infostealer spyware stealer trojan worm
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinevjw0rmappdiscoveryinfostealerspywarestealertrojanworm

behavioral2

vjw0rmtrojanworm

© 2018-2024

Terms | Privacy