redline | a5d8eac92699a2e8870775b0eb150bb3fdedf4e86f6b0a26a122ad5f7e9fd3c2 | Triage

Sharing

General

Target

b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1
Size

119KB
Sample

230103-a1sjjsgf45
MD5

d9a2313ebd1f9d41687e127028bc230e
SHA1

b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1
SHA256

a5d8eac92699a2e8870775b0eb150bb3fdedf4e86f6b0a26a122ad5f7e9fd3c2
SHA512

4ee00a77199e82d63967f9731a5dd101f2dcec52584337dff306c2d5b71dfa4d83ac473617da0b022d301f8878b5cd835b18a35603fbe9dd7682064dc30264be
SSDEEP

3072:EcJw0ADKnZ1bEGSzLu1XlEWb3MeUn3PAngc13Aa99sXcc:/W3IZ1bgQlExeUcN99sXcc

Score

10^/10

redline 1 evasion infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Targets

- Target
  
  b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1
- Size
  
  119KB
- MD5
  
  d9a2313ebd1f9d41687e127028bc230e
- SHA1
  
  b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1
- SHA256
  
  a5d8eac92699a2e8870775b0eb150bb3fdedf4e86f6b0a26a122ad5f7e9fd3c2
- SHA512
  
  4ee00a77199e82d63967f9731a5dd101f2dcec52584337dff306c2d5b71dfa4d83ac473617da0b022d301f8878b5cd835b18a35603fbe9dd7682064dc30264be
- SSDEEP
  
  3072:EcJw0ADKnZ1bEGSzLu1XlEWb3MeUn3PAngc13Aa99sXcc:/W3IZ1bgQlExeUcN99sXcc
Score

10^/10

redline 1 evasion infostealer spyware
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

redline1evasioninfostealerspyware