redline | 1e31a623012e97d5494abb6b83bfcce27438c9b055d503376a1dc0a74a6a65ee | Triage

Sharing

General

Target

1e31a623012e97d5494abb6b83bfcce27438c9b055d503376a1dc0a74a6a65ee
Size

468KB
Sample

230212-2j57vsgd6s
MD5

c1d4ff7877e3991c5203edb2610b84d9
SHA1

950a8938c643b4c812e35ab431aa5a7c20d37f88
SHA256

1e31a623012e97d5494abb6b83bfcce27438c9b055d503376a1dc0a74a6a65ee
SHA512

a20ee775d5140caa83870bdcfd46b15d65ab4e8fc256536b077292d2a588425d27cb8560b43f8d495c34d8f9d36eac2b54b8c1924daa9f91ac854cba586627e0
SSDEEP

12288:AMrly900okmgZ7+tBMjiTiZdvnQZYLe3e:VyRrhUMqizWS2e

Score

10^/10

redline crnn fusa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

redline

Botnet

crnn

C2

176.113.115.17:4132

Attributes

auth_value
6dfbf5eac3db7046d55dfd3f6608be3f

Targets

- Target
  
  1e31a623012e97d5494abb6b83bfcce27438c9b055d503376a1dc0a74a6a65ee
- Size
  
  468KB
- MD5
  
  c1d4ff7877e3991c5203edb2610b84d9
- SHA1
  
  950a8938c643b4c812e35ab431aa5a7c20d37f88
- SHA256
  
  1e31a623012e97d5494abb6b83bfcce27438c9b055d503376a1dc0a74a6a65ee
- SHA512
  
  a20ee775d5140caa83870bdcfd46b15d65ab4e8fc256536b077292d2a588425d27cb8560b43f8d495c34d8f9d36eac2b54b8c1924daa9f91ac854cba586627e0
- SSDEEP
  
  12288:AMrly900okmgZ7+tBMjiTiZdvnQZYLe3e:VyRrhUMqizWS2e
Score

10^/10

redline crnn fusa discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinecrnnfusadiscoveryevasioninfostealerpersistencespywarestealertrojan