redline

General

Target

ORDER102718.exe
Size

894KB
Sample

230505-zpjjyage5x
MD5

3fb2019f03cd1972350406aa10e89961
SHA1

c68d0d75e6b80c9bfc5208d2f0abe6cfdfa5257f
SHA256

4a1a8fa3ff7b0bf9c376592e6335c82e99536853c0d274bce1a8443335a2cdde
SHA512

869b9e81ad75e237515cee44d7aa73af32e0119c498a309c3ef541f6bc694384e82694bc6234776dfa564c1f1159c9ba2044f554e0edb9cf0ce83a2eeb9d996e
SSDEEP

12288:Cw0d2qj8Jz2q6InYwN4ZCM5WdK/ypQU46cyL+l:ZAdj8JKg6C+Wd4qp46cyI

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5587666659:AAG8NrrXJQs__dhk8nLJBFOspz2my8OVpX0/sendMessage?chat_id=5569775004

Targets

- Target
  
  ORDER102718.exe
- Size
  
  894KB
- MD5
  
  3fb2019f03cd1972350406aa10e89961
- SHA1
  
  c68d0d75e6b80c9bfc5208d2f0abe6cfdfa5257f
- SHA256
  
  4a1a8fa3ff7b0bf9c376592e6335c82e99536853c0d274bce1a8443335a2cdde
- SHA512
  
  869b9e81ad75e237515cee44d7aa73af32e0119c498a309c3ef541f6bc694384e82694bc6234776dfa564c1f1159c9ba2044f554e0edb9cf0ce83a2eeb9d996e
- SSDEEP
  
  12288:Cw0d2qj8Jz2q6InYwN4ZCM5WdK/ypQU46cyL+l:ZAdj8JKg6C+Wd4qp46cyI
Score

10^/10

snakekeylogger collection keylogger spyware stealer redline infostealer
- Detects Redline Stealer samples
  This rule detects the presence of Redline Stealer samples based on their unique strings.
  stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Redline Stealer samples

Snake Keylogger

Snake Keylogger payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2