redline | 72fa014db49738f6ab72b7e127c30d4d15a7e6c03aaa5c3a7e06be766858a124 | Triage

Sharing

General

Target

7d87c4bc2f2d293c42d30b5c85b7a061.exe
Size

518KB
Sample

230209-qex5xada5v
MD5

7d87c4bc2f2d293c42d30b5c85b7a061
SHA1

4cab1a968d1e93eb0b6ec52f0df4f9d7e56029d1
SHA256

72fa014db49738f6ab72b7e127c30d4d15a7e6c03aaa5c3a7e06be766858a124
SHA512

d33fb6f6dca80349b1f23f206c85d915d683ebb8d3ce9dffa1ada6e48d25d45fafb19b6692e88a1431f1926faf48bec3f64516e42fe84e9b67c30bf47764c884
SSDEEP

12288:JMrny90xCiQb5c+bKuZdZ3+Nxpsvka6OIOIpCNAJ:CyKCdba+nr37vP6s8CuJ

Score

10^/10

redline crypt romka discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

romka

C2

193.233.20.11:4131

Attributes

auth_value
fcbb3247051f5290e8ac5b1a841af67b

Extracted

Family

redline

Botnet

crypt

C2

176.113.115.17:4132

Attributes

auth_value
407e05c9b3a74d99a20f90b091547bd6

Targets

- Target
  
  7d87c4bc2f2d293c42d30b5c85b7a061.exe
- Size
  
  518KB
- MD5
  
  7d87c4bc2f2d293c42d30b5c85b7a061
- SHA1
  
  4cab1a968d1e93eb0b6ec52f0df4f9d7e56029d1
- SHA256
  
  72fa014db49738f6ab72b7e127c30d4d15a7e6c03aaa5c3a7e06be766858a124
- SHA512
  
  d33fb6f6dca80349b1f23f206c85d915d683ebb8d3ce9dffa1ada6e48d25d45fafb19b6692e88a1431f1926faf48bec3f64516e42fe84e9b67c30bf47764c884
- SSDEEP
  
  12288:JMrny90xCiQb5c+bKuZdZ3+Nxpsvka6OIOIpCNAJ:CyKCdba+nr37vP6s8CuJ
Score

10^/10

redline crypt romka discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinecryptromkadiscoveryinfostealerpersistencespywarestealer

behavioral2

redlinecryptdiscoveryinfostealerpersistencespywarestealer