redline | 2aba6d1b002af0a38021b1c20be73ee161eac0729d4d6dd641feb7c65d5fb637 | Triage

Submit
Reports

Overview

overview

Static

static

8

2c5734f4d9...2a.exe

windows7-x64

2c5734f4d9...2a.exe

windows10-2004-x64

8

Sharing

General

Target

b4cd73da2d48452218f1cd31ca321562.bin
Size

3.1MB
Sample

230123-sp3jgsfd9s
MD5

e78b7b38cdeead4e39ebcdf94ac2ab65
SHA1

ef27c2cfd769dc255b3e4b3b076098a69331a597
SHA256

2aba6d1b002af0a38021b1c20be73ee161eac0729d4d6dd641feb7c65d5fb637
SHA512

7cd70ad43b8d9cbe131c23f2472b7e340a1aa176ca60679cf8829f8bac61abc26b45ba73e2edfc4c9e164e1d5c6e76bcbd9f3fb0d1265b339cf5d2d36b97c744
SSDEEP

98304:c1l1We4Kg3s3y4MthCjXfZpaHPBWsPzJ7wKS8li:cv1z9ys5k4jXfnaHP7zSKL0

Score

10^/10

redline medi2 discovery infostealer spyware stealer vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2c5734f4d9cc0fc20f1a9e5c1fa0133f0894f73a24813be20b6a25da6d90842a.exe

Resource

win7-20220901-en

redline medi2 discovery infostealer spyware stealer vmprotect

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

2c5734f4d9cc0fc20f1a9e5c1fa0133f0894f73a24813be20b6a25da6d90842a.exe

Resource

win10v2004-20221111-en

discovery spyware stealer vmprotect

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

Medi2

C2

167.235.156.206:6218

Attributes

auth_value
415e49528666a4468e12b696ddda231f

Targets

- Target
  
  2c5734f4d9cc0fc20f1a9e5c1fa0133f0894f73a24813be20b6a25da6d90842a.exe
- Size
  
  3.4MB
- MD5
  
  b4cd73da2d48452218f1cd31ca321562
- SHA1
  
  3e16b20e5bb5f3ac668acc4c977852d47a905ecd
- SHA256
  
  2c5734f4d9cc0fc20f1a9e5c1fa0133f0894f73a24813be20b6a25da6d90842a
- SHA512
  
  9bc0eae6d5a46efddcdca3aeffc961936150f6925146db99fe7df7e01db5ef6aa05e367306bcbe190f6fc6234df843c5f95b76877e087b824308539ed8f5cad1
- SSDEEP
  
  98304:VGOn1dnJwKCgu/SiYltdYM1Q5/dCSnKtk8H:UOn1dnY6iOrk/tKtk4
Score

10^/10

redline medi2 discovery infostealer spyware stealer vmprotect
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinemedi2discoveryinfostealerspywarestealervmprotect

behavioral2

discoveryspywarestealervmprotect

© 2018-2024

Terms | Privacy