redline | 5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

setup.exe

windows7-x64

setup.exe

windows10-2004-x64

Sharing

General

Target

setup.exe
Size

12.5MB
Sample

230105-zdkb4agg9x
MD5

d7ac9f5311f60a1e99d3547d66f19a4d
SHA1

17a4692a0afbad5be0e94d13d0a7ba5526d1b522
SHA256

5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c
SHA512

c9af04f1324534ff842211f7b4cfa6abb49a8d987fd070a50918c7469b2d4d9d40992c972e51970c6245af12b43f107cdf0dd3f44e87b197d675a5f9ec86da7b
SSDEEP

393216:3xsX4B8eD3F+oI9KtC9N5cfZLxsaZf4nT7P4tU:3GI9FQ3OfZLSPP4q

Score

10^/10

redline infostealer spyware upx

Static task

static1

Behavioral task

behavioral1

Sample

setup.exe

Resource

win7-20221111-en

redline infostealer spyware upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

setup.exe

Resource

win10v2004-20221111-en

redline infostealer spyware upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

redline

C2

195.20.17.174:80

Attributes

auth_value
cf75908d75b4508135a38c8679c86f6e

Targets

- Target
  
  setup.exe
- Size
  
  12.5MB
- MD5
  
  d7ac9f5311f60a1e99d3547d66f19a4d
- SHA1
  
  17a4692a0afbad5be0e94d13d0a7ba5526d1b522
- SHA256
  
  5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c
- SHA512
  
  c9af04f1324534ff842211f7b4cfa6abb49a8d987fd070a50918c7469b2d4d9d40992c972e51970c6245af12b43f107cdf0dd3f44e87b197d675a5f9ec86da7b
- SSDEEP
  
  393216:3xsX4B8eD3F+oI9KtC9N5cfZLxsaZf4nT7P4tU:3GI9FQ3OfZLSPP4q
Score

10^/10

redline infostealer spyware upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Nirsoft
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlineinfostealerspywareupx

behavioral2

redlineinfostealerspywareupx

© 2018-2025

Terms | Privacy