redline | f22db49eb28bed665323bb791d0212a726ddc4c2c8abf0c90c8b33221ada9327 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

f22db49eb28bed665323bb791d0212a726ddc4c2c8abf0c90c8b33221ada9327
Size

274KB
Sample

221207-ggzl3sad52
MD5

4b37463b99d718640c39c17913be9823
SHA1

ff04559f82f6172dcd40df67219adbab4297a8d0
SHA256

f22db49eb28bed665323bb791d0212a726ddc4c2c8abf0c90c8b33221ada9327
SHA512

3238389965842debee424428c33518c642bfc0440794a23c409b0f30b33c341bccf3003fd85e6c7cb971ccbcc99bd434153aa25351953b5935805c884fa8927f
SSDEEP

6144:H1fxU+meDCNl4QfoJy7RlfMCF7UEMusZ00:HtNmLNmQA2jFwEMus

Score

10^/10

redline yt evasion infostealer spyware themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

f22db49eb28bed665323bb791d0212a726ddc4c2c8abf0c90c8b33221ada9327.exe

Resource

win10-20220812-en

redline yt evasion infostealer spyware themida trojan

windows10-1703-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

YT

C2

65.21.5.58:48811

Attributes

auth_value
fb878dde7f3b4ad1e1bc26d24db36d28

Targets

- Target
  
  f22db49eb28bed665323bb791d0212a726ddc4c2c8abf0c90c8b33221ada9327
- Size
  
  274KB
- MD5
  
  4b37463b99d718640c39c17913be9823
- SHA1
  
  ff04559f82f6172dcd40df67219adbab4297a8d0
- SHA256
  
  f22db49eb28bed665323bb791d0212a726ddc4c2c8abf0c90c8b33221ada9327
- SHA512
  
  3238389965842debee424428c33518c642bfc0440794a23c409b0f30b33c341bccf3003fd85e6c7cb971ccbcc99bd434153aa25351953b5935805c884fa8927f
- SSDEEP
  
  6144:H1fxU+meDCNl4QfoJy7RlfMCF7UEMusZ00:HtNmLNmQA2jFwEMus
Score

10^/10

redline yt evasion infostealer spyware themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlineytevasioninfostealerspywarethemidatrojan

© 2018-2024

Terms | Privacy