redline | 656301eac2f3431b400f5b221de7691e95c799e473abf3497fda2b1b1fde752c | Triage

Sharing

General

Target

656301eac2f3431b400f5b221de7691e95c799e473abf3497fda2b1b1fde752c
Size

765KB
Sample

230212-d6w1psdg92
MD5

9d7b85cbfbfbb59d095cffa148f42742
SHA1

f7020942f6b81549abcf8ee87b1618d7fb56e2bc
SHA256

656301eac2f3431b400f5b221de7691e95c799e473abf3497fda2b1b1fde752c
SHA512

c0c31d79b8e489a51997bac0b4ecfbcc0aeba796c99e8cceca22578f85ac471c46f24407d1fe2941f1801b89225558e353ec25f4341dc37bcfdb8641ca0c4aef
SSDEEP

12288:WMrFy90uBVphYYRllwZJZy0dCqNuRkWxq9N5r6mWNOS7GmLi4U1u8:jyjhRlmfZyKQkEWWr6m1U1u8

Score

10^/10

redline crypt1 dunm discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

crypt1

C2

176.113.115.17:4132

Attributes

auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Targets

- Target
  
  656301eac2f3431b400f5b221de7691e95c799e473abf3497fda2b1b1fde752c
- Size
  
  765KB
- MD5
  
  9d7b85cbfbfbb59d095cffa148f42742
- SHA1
  
  f7020942f6b81549abcf8ee87b1618d7fb56e2bc
- SHA256
  
  656301eac2f3431b400f5b221de7691e95c799e473abf3497fda2b1b1fde752c
- SHA512
  
  c0c31d79b8e489a51997bac0b4ecfbcc0aeba796c99e8cceca22578f85ac471c46f24407d1fe2941f1801b89225558e353ec25f4341dc37bcfdb8641ca0c4aef
- SSDEEP
  
  12288:WMrFy90uBVphYYRllwZJZy0dCqNuRkWxq9N5r6mWNOS7GmLi4U1u8:jyjhRlmfZyKQkEWWr6m1U1u8
Score

10^/10

redline crypt1 dunm discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinecrypt1dunmdiscoveryinfostealerpersistencespywarestealer