redline | aa8b2be4fc7f54a1f4d5b98c50339db3e72438919305251c29b5a379f10d9315 | Triage

Sharing

General

Target

aa8b2be4fc7f54a1f4d5b98c50339db3e72438919305251c29b5a379f10d9315
Size

514KB
Sample

230209-raadqaef44
MD5

ab996d5b02f6f125f5cfe2b15a810a34
SHA1

62be350e5491b392ecca94e31e84aca345d0edd9
SHA256

aa8b2be4fc7f54a1f4d5b98c50339db3e72438919305251c29b5a379f10d9315
SHA512

5d0c49c2597798c92d6b0160bf8bcc26e3534dd6f9f9246e25191069a35a1306eb992f106f908ec7cd6e74c6a65b1e693b7673281ad02537317c9234da26fe25
SSDEEP

12288:lMrFy90Ew/NnQrIs3MWmhk8ddtqMA9Q7vjzDLfkxC:8y0nY3MJhk8d7TASnzT

Score

10^/10

redline crypt romka discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

romka

C2

193.233.20.11:4131

Attributes

auth_value
fcbb3247051f5290e8ac5b1a841af67b

Extracted

Family

redline

Botnet

crypt

C2

176.113.115.17:4132

Attributes

auth_value
407e05c9b3a74d99a20f90b091547bd6

Targets

- Target
  
  aa8b2be4fc7f54a1f4d5b98c50339db3e72438919305251c29b5a379f10d9315
- Size
  
  514KB
- MD5
  
  ab996d5b02f6f125f5cfe2b15a810a34
- SHA1
  
  62be350e5491b392ecca94e31e84aca345d0edd9
- SHA256
  
  aa8b2be4fc7f54a1f4d5b98c50339db3e72438919305251c29b5a379f10d9315
- SHA512
  
  5d0c49c2597798c92d6b0160bf8bcc26e3534dd6f9f9246e25191069a35a1306eb992f106f908ec7cd6e74c6a65b1e693b7673281ad02537317c9234da26fe25
- SSDEEP
  
  12288:lMrFy90Ew/NnQrIs3MWmhk8ddtqMA9Q7vjzDLfkxC:8y0nY3MJhk8d7TASnzT
Score

10^/10

redline crypt romka discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinecryptromkadiscoveryinfostealerpersistencespywarestealer