redline | ddea3eb5e91f8e3242f949cfe3429caaf7f1cfbb5125ead4839249516823bbf1 | Triage

Sharing

General

Target

ddea3eb5e91f8e3242f949cfe3429caaf7f1cfbb5125ead4839249516823bbf1
Size

742KB
Sample

230214-sm5k3adg3x
MD5

ee2ebbf8635d9f3cedb6a798f8d4b403
SHA1

dccb960c9d5b774eca6ef75b09b983dfacc1ca1b
SHA256

ddea3eb5e91f8e3242f949cfe3429caaf7f1cfbb5125ead4839249516823bbf1
SHA512

19243111e3b888e4d1e652309dac4ffb5cc93707e38a4f43cf3da817da0a1fe06899f42da81b8a63de07a8f332c05b7f5422e11f5f44f0402e50d6df58bf07ed
SSDEEP

12288:bMrdy90ZmqVrS4t3kkt5pHhr6+RnF99uKoIVnaUVwlqRtC+3fZ2GkoLv:ey7yrS4t3jt7k4F999oDUVwuRfZhv

Score

10^/10

redline cr10 dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cr10

C2

176.113.115.17:4132

Attributes

auth_value
0a52a09c70a98bb6612362e5eb8b1d02

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Targets

- Target
  
  ddea3eb5e91f8e3242f949cfe3429caaf7f1cfbb5125ead4839249516823bbf1
- Size
  
  742KB
- MD5
  
  ee2ebbf8635d9f3cedb6a798f8d4b403
- SHA1
  
  dccb960c9d5b774eca6ef75b09b983dfacc1ca1b
- SHA256
  
  ddea3eb5e91f8e3242f949cfe3429caaf7f1cfbb5125ead4839249516823bbf1
- SHA512
  
  19243111e3b888e4d1e652309dac4ffb5cc93707e38a4f43cf3da817da0a1fe06899f42da81b8a63de07a8f332c05b7f5422e11f5f44f0402e50d6df58bf07ed
- SSDEEP
  
  12288:bMrdy90ZmqVrS4t3kkt5pHhr6+RnF99uKoIVnaUVwlqRtC+3fZ2GkoLv:ey7yrS4t3jt7k4F999oDUVwuRfZhv
Score

10^/10

redline cr10 dubka discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinecr10dubkadiscoveryevasioninfostealerpersistencespywarestealertrojan