redline | 55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

6KB
Sample

221215-v5qwqsfh4y
MD5

285cbd341de6e17b42f1663245a58346
SHA1

5281aa0f428bca4b5eeafda1b7eefc5735490d09
SHA256

55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
SHA512

4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d
SSDEEP

96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz

Score

10^/10

redline spoofer discovery infostealer spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20221111-en

redline spoofer discovery infostealer spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220812-en

redline spoofer discovery infostealer spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

SPOOFER

C2

20.197.226.40:32619

Targets

- Target
  
  tmp
- Size
  
  6KB
- MD5
  
  285cbd341de6e17b42f1663245a58346
- SHA1
  
  5281aa0f428bca4b5eeafda1b7eefc5735490d09
- SHA256
  
  55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
- SHA512
  
  4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d
- SSDEEP
  
  96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz
Score

10^/10

redline spoofer discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinespooferdiscoveryinfostealerspywarestealer

behavioral2

redlinespooferdiscoveryinfostealerspywarestealer

© 2018-2024

Terms | Privacy