redline | 569d9035ed630038599104bb8c770473e8cff91b3554a1deb4f4028b578429d3 | Triage

Submit
Reports

Overview

overview

Static

static

26154e506c...e6.exe

windows7-x64

26154e506c...e6.exe

windows10-2004-x64

7

Sharing

General

Target

26154e506c39c8b4681cc38a19c87249f8ce3ae6
Size

217KB
Sample

230114-qdrazaga53
MD5

15dec13bdd63907e5fcda9e7e621e1a2
SHA1

26154e506c39c8b4681cc38a19c87249f8ce3ae6
SHA256

569d9035ed630038599104bb8c770473e8cff91b3554a1deb4f4028b578429d3
SHA512

4a14c459e417d37cb841805e125c745b4bdbabd1611bbad7813b20cef639e9af99f981c16f94f7ab41765c34e6a1fa053f87a2755ce613db1d17171d72437586
SSDEEP

6144:AntQ758qxOopgCXDww83kI5vAOI3F5VyLchfn09c:AtQ758qxOopgzvuf0G

Score

10^/10

redline 1 evasion infostealer spyware

Static task

static1

Behavioral task

behavioral1

Sample

26154e506c39c8b4681cc38a19c87249f8ce3ae6.exe

Resource

win7-20221111-en

redline 1 evasion infostealer spyware

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

26154e506c39c8b4681cc38a19c87249f8ce3ae6.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Targets

- Target
  
  26154e506c39c8b4681cc38a19c87249f8ce3ae6
- Size
  
  217KB
- MD5
  
  15dec13bdd63907e5fcda9e7e621e1a2
- SHA1
  
  26154e506c39c8b4681cc38a19c87249f8ce3ae6
- SHA256
  
  569d9035ed630038599104bb8c770473e8cff91b3554a1deb4f4028b578429d3
- SHA512
  
  4a14c459e417d37cb841805e125c745b4bdbabd1611bbad7813b20cef639e9af99f981c16f94f7ab41765c34e6a1fa053f87a2755ce613db1d17171d72437586
- SSDEEP
  
  6144:AntQ758qxOopgCXDww83kI5vAOI3F5VyLchfn09c:AtQ758qxOopgzvuf0G
Score

10^/10

redline 1 evasion infostealer spyware
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

redline1evasioninfostealerspyware

behavioral2

© 2018-2024

Terms | Privacy