redline | 9e5ff49d0c71b34db4e39fc959100fbbd82a49455bbe59593b0150cba4b362e0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

9e5ff49d0c71b34db4e39fc959100fbbd82a49455bbe59593b0150cba4b362e0
Size

520KB
Sample

230209-nwzc7aag2s
MD5

6e07e357fa5325908d367b1a779b1de5
SHA1

c57aaf7fdab3c303f1d7eb96765ef7215c3baea2
SHA256

9e5ff49d0c71b34db4e39fc959100fbbd82a49455bbe59593b0150cba4b362e0
SHA512

2c5c5f230fad93584169d6e9104473f1334d0946ca47717c39997fe34c2963f29b8d882b3c682fcd861de22c78760dd80e57c4ced8d59a5fde84111e256cd681
SSDEEP

12288:JMrfy90qb2sQaOZTHS+xJh026nGhqhWs0nLXz:SywR/Jw620nn

Score

10^/10

redline crypt romka discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

romka

C2

193.233.20.11:4131

Attributes

auth_value
fcbb3247051f5290e8ac5b1a841af67b

Extracted

Family

redline

Botnet

crypt

C2

176.113.115.17:4132

Attributes

auth_value
407e05c9b3a74d99a20f90b091547bd6

Targets

- Target
  
  9e5ff49d0c71b34db4e39fc959100fbbd82a49455bbe59593b0150cba4b362e0
- Size
  
  520KB
- MD5
  
  6e07e357fa5325908d367b1a779b1de5
- SHA1
  
  c57aaf7fdab3c303f1d7eb96765ef7215c3baea2
- SHA256
  
  9e5ff49d0c71b34db4e39fc959100fbbd82a49455bbe59593b0150cba4b362e0
- SHA512
  
  2c5c5f230fad93584169d6e9104473f1334d0946ca47717c39997fe34c2963f29b8d882b3c682fcd861de22c78760dd80e57c4ced8d59a5fde84111e256cd681
- SSDEEP
  
  12288:JMrfy90qb2sQaOZTHS+xJh026nGhqhWs0nLXz:SywR/Jw620nn
Score

10^/10

redline crypt romka discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinecryptromkadiscoveryinfostealerpersistencespywarestealer