redline | 404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c | Triage

Submit
Reports

Overview

overview

Static

static

77d29818be...4b.exe

windows7-x64

77d29818be...4b.exe

windows10-2004-x64

8

Sharing

General

Target

77d29818be0d01c38545baa0bd4551c6853c224b
Size

365KB
Sample

230116-h1b6kabb62
MD5

343adbd49e24d1bdec30f634f4055da8
SHA1

77d29818be0d01c38545baa0bd4551c6853c224b
SHA256

404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
SHA512

4c6831539aef807c7cb4875306e5fecc06b769924e0a1f80a5316f194a5235ec9e904c932b3ec4021e7ef2237bc2dba3db47a8a1cb20244c67c9fa1e6d88298f
SSDEEP

6144:SVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO1DAjWbc:SRDF2BpjLQLsvBP0+ecyEY37C8P

Score

10^/10

redline 1 evasion infostealer spyware

Static task

static1

Behavioral task

behavioral1

Sample

77d29818be0d01c38545baa0bd4551c6853c224b.exe

Resource

win7-20220812-en

redline 1 evasion infostealer spyware

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

77d29818be0d01c38545baa0bd4551c6853c224b.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Targets

- Target
  
  77d29818be0d01c38545baa0bd4551c6853c224b
- Size
  
  365KB
- MD5
  
  343adbd49e24d1bdec30f634f4055da8
- SHA1
  
  77d29818be0d01c38545baa0bd4551c6853c224b
- SHA256
  
  404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
- SHA512
  
  4c6831539aef807c7cb4875306e5fecc06b769924e0a1f80a5316f194a5235ec9e904c932b3ec4021e7ef2237bc2dba3db47a8a1cb20244c67c9fa1e6d88298f
- SSDEEP
  
  6144:SVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO1DAjWbc:SRDF2BpjLQLsvBP0+ecyEY37C8P
Score

10^/10

redline 1 evasion infostealer spyware
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

redline1evasioninfostealerspyware

behavioral2

© 2018-2025

Terms | Privacy