redline

General

Target

FiIе (2).rar
Size

3.7MB
Sample

230304-j3vlcsdd45
MD5

8a5e102aaa6846d3c79d40e92e120e19
SHA1

d34ec15250b2a792cc92ba601e05fee36d13eb84
SHA256

b3b9d9d19f58fb77f37b0184eea0e90f53a5b947fe335f2548e2d10d1d809d68
SHA512

c368e3a62def5d1412116846986996e9f3b2c31bf87aba3bc31a6d601675118318b8794696349bd37fa45c52febce9af70e2e736db6cd6959c109433292ed652
SSDEEP

98304:5W4EiVUuH4SC6V0E/y2z10/H8F7rOo6CPEA6o4pXSyI4qXo:5YA3CA0Ea2x0/cdCy6xpCv4Uo

Score

10^/10

Malware Config

Extracted

Family

redline

C2

45.138.74.121:80

Attributes

auth_value
b108e6c8200f19bf525e2e611b2e98b6

Targets

- Target
  
  Setup 2.exe
- Size
  
  3.4MB
- MD5
  
  fb430617074d580d39d5713abcfdc095
- SHA1
  
  08d5d42d079a1b60c39225cb2933686d050edc1d
- SHA256
  
  f4326903b6446139efb0ee5e3251ca95f1ada0963829deb1547df4c5b6930bf2
- SHA512
  
  6df1dd5f8c42529e99fc93c93c4deb491d8f811819cdbed4c222da28254d35fe02f0792db2e6b59ff00538351d51f687e8a54f06f7a643bf973177c6aedd1b8c
- SSDEEP
  
  98304:E52wmQdKG7qhlBQekY049suZMx8WDj09hKBNUhlbYY:Ep37wdkdXuZMCSKcByhll
Score

10^/10

redline infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  FiIе/Setup.exe
- Size
  
  480KB
- MD5
  
  701477f861bde9756d5fc3ace9d2f019
- SHA1
  
  2e0f06df176b574cd8f629f8e0d32fdedc72dd20
- SHA256
  
  48aa1381548b2590a3ae1d740852fdefdf51c46666ee2d86e50aeae66afbda60
- SHA512
  
  97eb40e656f06fc06b0c7d52aae69c64464ee47a8d350e041fe6c7c90e35ed44b1d976bdbcb968c146beb44624224be62fa4a2b919e81ce7644b6c13f0b636c7
- SSDEEP
  
  12288:cpdcHSyxPmq2i7PFMzPV2v207z4TSxf4sugsRBN3dMon:MdPypmH1VU20X4RmwMY
Score

10^/10

vidar spyware stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Vidar

Loads dropped DLL

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4