Overview

overview

10

Static

static

84fa342db3...a8.exe

windows7-x64

10

84fa342db3...a8.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    84fa342db3e61b9a30b76763efbbfaea700476a8

  • Size

    247KB

  • Sample

    230111-xbyetshf8t

  • MD5

    1eed44b17228fbc5779f5bb908161e73

  • SHA1

    84fa342db3e61b9a30b76763efbbfaea700476a8

  • SHA256

    ef977f35deec3d30dceafdc1b9ba117928ce3f78156dfa63596bcdf1d0d81d8b

  • SHA512

    3ac850fe79c9f20e2311898f2e9b57a4fc9f45e135b916822105afa00528fc16f73fdf89a7cfdcd020fc4c7f855a12cb8b4dd7b969146fa8e68d104b3b3e4b5a

  • SSDEEP

    6144:w93F+3NnZo50r9uMlWr1o1XUQTH3oXx/EAOhxm09nmvc:S4tZo50r9uMlWg1ZrxtnF

Score
10/10
redline1evasioninfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes
  • auth_value

    3a5bb0917495b4312d052a0b8977d2bb

Targets

    • Target

      84fa342db3e61b9a30b76763efbbfaea700476a8

    • Size

      247KB

    • MD5

      1eed44b17228fbc5779f5bb908161e73

    • SHA1

      84fa342db3e61b9a30b76763efbbfaea700476a8

    • SHA256

      ef977f35deec3d30dceafdc1b9ba117928ce3f78156dfa63596bcdf1d0d81d8b

    • SHA512

      3ac850fe79c9f20e2311898f2e9b57a4fc9f45e135b916822105afa00528fc16f73fdf89a7cfdcd020fc4c7f855a12cb8b4dd7b969146fa8e68d104b3b3e4b5a

    • SSDEEP

      6144:w93F+3NnZo50r9uMlWr1o1XUQTH3oXx/EAOhxm09nmvc:S4tZo50r9uMlWg1ZrxtnF

    Score
    10/10
    redline1evasioninfostealerspyware

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks