redline | fd8f38399b6177e82e47462be89e036cf84f959d9badb00af343db26a4226b1d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

52b3d9bb74d3eb611d962c7be2272be9.exe
Size

468KB
Sample

230214-tvsrxaea4s
MD5

52b3d9bb74d3eb611d962c7be2272be9
SHA1

b3b5cea27ed4ce853dde2297bee82f450637f70d
SHA256

fd8f38399b6177e82e47462be89e036cf84f959d9badb00af343db26a4226b1d
SHA512

f7959f158d173f590fc7bde0a9a39d57b704b1330cc3e419789427f38941928c45a3d49f72aa1574e10fce2002b8669c2cee660e21b542cb9a6c3cddf816b74f
SSDEEP

6144:KBy+bnr+hp0yN90QE62o3jGtjvo8xOk3wDgyrSd6axmKfgfqaKLvbmInqh7Yx2:DMrdy90RKOOCwsCSPmKuqt1nqtYx2

Score

10^/10

redline cr10n fukia discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

cr10n

C2

176.113.115.17:4132

Attributes

auth_value
6016c19179aa1044c369adb0ec1f363b

Targets

- Target
  
  52b3d9bb74d3eb611d962c7be2272be9.exe
- Size
  
  468KB
- MD5
  
  52b3d9bb74d3eb611d962c7be2272be9
- SHA1
  
  b3b5cea27ed4ce853dde2297bee82f450637f70d
- SHA256
  
  fd8f38399b6177e82e47462be89e036cf84f959d9badb00af343db26a4226b1d
- SHA512
  
  f7959f158d173f590fc7bde0a9a39d57b704b1330cc3e419789427f38941928c45a3d49f72aa1574e10fce2002b8669c2cee660e21b542cb9a6c3cddf816b74f
- SSDEEP
  
  6144:KBy+bnr+hp0yN90QE62o3jGtjvo8xOk3wDgyrSd6axmKfgfqaKLvbmInqh7Yx2:DMrdy90RKOOCwsCSPmKuqt1nqtYx2
Score

10^/10

redline cr10n fukia discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinecr10nfukiadiscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

redlinecr10nfukiadiscoveryevasioninfostealerpersistencespywarestealertrojan