redline | 97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6 | Triage

Submit
Reports

Overview

overview

Static

static

7

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

2.9MB
Sample

221205-l83v2adf9v
MD5

1e46438f13693aaa0f35a0c796d60c61
SHA1

a4cfbb31c87c7368554a5081157382bedded6551
SHA256

97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6
SHA512

b0348e5f8962261a64130208c86321afebaff4fe1b1cb2b164a8bc35dca73ecfaaf7d2348865bee88233f3feeff3deb2884f23e86c66ee88270f55c6252c4778
SSDEEP

49152:zgVPqtIzOYelWFO5zKLV/28K6gCCLP8FL5A3mACFkHtNX6GB4I7pvIOSA:z4PSInelcYwVVK677DkHLXlB4CIPA

Score

10^/10

redline install evasion infostealer spyware themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220901-en

redline install evasion infostealer spyware themida trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20221111-en

redline install evasion infostealer themida trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

Install

C2

manddarinn.art:81

Attributes

auth_value
f9affed97251c08e7a096257ba9edfb2

Targets

- Target
  
  file.exe
- Size
  
  2.9MB
- MD5
  
  1e46438f13693aaa0f35a0c796d60c61
- SHA1
  
  a4cfbb31c87c7368554a5081157382bedded6551
- SHA256
  
  97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6
- SHA512
  
  b0348e5f8962261a64130208c86321afebaff4fe1b1cb2b164a8bc35dca73ecfaaf7d2348865bee88233f3feeff3deb2884f23e86c66ee88270f55c6252c4778
- SSDEEP
  
  49152:zgVPqtIzOYelWFO5zKLV/28K6gCCLP8FL5A3mACFkHtNX6GB4I7pvIOSA:z4PSInelcYwVVK677DkHLXlB4CIPA
Score

10^/10

redline install evasion infostealer spyware themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlineinstallevasioninfostealerspywarethemidatrojan

behavioral2

redlineinstallevasioninfostealerthemidatrojan

© 2018-2024

Terms | Privacy