Overview

overview

10

Static

static

3

470f84e398...7d.exe

windows7-x64

10

470f84e398...7d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    470f84e3985e79afa18514a02c407bd4612124fc633fed51c3c25a28c2eed87d

  • Size

    600KB

  • Sample

    230505-wzpbdscg68

  • MD5

    e261b0abd3a16703693cb376d491b25b

  • SHA1

    83399dacdafb779bbb390d40e3f3a228170c77ee

  • SHA256

    470f84e3985e79afa18514a02c407bd4612124fc633fed51c3c25a28c2eed87d

  • SHA512

    5dd2ea901551bd012a42a68ff0620d10f66d6b5a1111fae10363c5577bffbe1295da08b5f164729a87435ed90344a0d68cda2dde767f309e9401b5be8e32b763

  • SSDEEP

    12288:6Mrcy90d/mgwN6Tj/BSV3AFe98Ij3aePVyr7B5+a1Gv79vaRNu:KyOrFXpu3AFe98S3yXBM269SDu

Score
10/10
redlinedarisdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Targets

    • Target

      470f84e3985e79afa18514a02c407bd4612124fc633fed51c3c25a28c2eed87d

    • Size

      600KB

    • MD5

      e261b0abd3a16703693cb376d491b25b

    • SHA1

      83399dacdafb779bbb390d40e3f3a228170c77ee

    • SHA256

      470f84e3985e79afa18514a02c407bd4612124fc633fed51c3c25a28c2eed87d

    • SHA512

      5dd2ea901551bd012a42a68ff0620d10f66d6b5a1111fae10363c5577bffbe1295da08b5f164729a87435ed90344a0d68cda2dde767f309e9401b5be8e32b763

    • SSDEEP

      12288:6Mrcy90d/mgwN6Tj/BSV3AFe98Ij3aePVyr7B5+a1Gv79vaRNu:KyOrFXpu3AFe98S3yXBM269SDu

    Score
    10/10
    redlinedarisdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

      stealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks