redline | 8ce129c880942a1c592ae2f77680519cc84488358c5ec6766b1a59fd3b1d644d | Triage

Submit
Reports

Overview

overview

Static

static

PUBGcheat/...at.exe

windows7-x64

PUBGcheat/...at.exe

windows10-2004-x64

Sharing

General

Target

PUBGcheat.rar
Size

4.6MB
Sample

230125-d66j5seg64
MD5

e8407005cd1755bccc364fe2d0243aba
SHA1

483c8b60788e12577990efa6abb010b0b6e75c1f
SHA256

8ce129c880942a1c592ae2f77680519cc84488358c5ec6766b1a59fd3b1d644d
SHA512

169171ad65cd5986d1b534cde21f8588b7b0f028109d37dfec0ad84e5bb09191c3f1d49ae7bb70c3ca4715c4176e12919a6916cd77755b20ee98ac008bdd9da7
SSDEEP

98304:ON/pSAW1DA+AtCBHF8jlNOVsPt8h5kHbCprYDK4OQaqHXc+U:uh8itCBHCnOiChiHOwVHXU

Score

10^/10

redline @foruman discovery evasion infostealer spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PUBGcheat/PUPGcheat.exe

Resource

win7-20220812-en

redline @foruman discovery evasion infostealer spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

PUBGcheat/PUPGcheat.exe

Resource

win10v2004-20220812-en

redline @foruman discovery evasion infostealer spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@foruman

C2

45.15.156.155:80

Attributes

auth_value
43c46f5646e17d8eafe7e33654dbc9b9

Targets

- Target
  
  PUBGcheat/PUPGcheat.exe
- Size
  
  4.2MB
- MD5
  
  e5132ba7ead2678937e0a456b0ec486f
- SHA1
  
  4ac356f760856bc04cf642ad80746c27dee3071a
- SHA256
  
  a9fc85282672428bc78ca1c87335113361248fc06c5a7cb812d3bb6a80a920c7
- SHA512
  
  6f99073185a9fc1ceead113969a96e2a7ec2747368ac76cf9da1abbac27a01d0fa16b1e0361b7c1ad786b1942719b682406abf62b47e9cd66c669e8ea764a3cd
- SSDEEP
  
  98304:dQ5JBs724LGPTXWIYttc22ICEF1xcZeo4TPCpE5j3HfrYs+NjV9:dQj4GPTXfk92ICEF+4TuEp/MtV9
Score

10^/10

redline @foruman discovery evasion infostealer spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Hidden Files and Directories

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redline@forumandiscoveryevasioninfostealerspywarestealertrojan

behavioral2

redline@forumandiscoveryevasioninfostealerspywarestealertrojan

© 2018-2024

Terms | Privacy