redline | 6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b | Triage

Submit
Reports

Overview

overview

Static

static

3

6432e96629...1b.exe

windows7-x64

6432e96629...1b.exe

windows10-2004-x64

Sharing

General

Target

6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
Size

145KB
Sample

230506-16esrabe63
MD5

2ef95efdbedb353a82497ab63aa39067
SHA1

a7784438c0ca3e37d63fc409435f6a5e96f73f41
SHA256

6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b
SHA512

1c053e93ffb29b7ef556e898650e447e8f3c101e5eb491fdd68adebc98434745b69fabf959db3d5fb0993b2be8c06f448d0b031de88024d7a4d37fdcab8dbfad
SSDEEP

3072:X3gonQnBpzMo4JPj5hMVXUgbRZlIwTqeq+3r7E4sf65NiJtmghrOy7BCRIVCNfD0:nDnyMVIZLT

Score

10^/10

redline remcos quote evasion infostealer persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe

Resource

win7-20230220-en

remcos quote evasion persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe

Resource

win10v2004-20230220-en

redline remcos quote evasion infostealer persistence rat stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

QUOTE

C2

172.93.164.93:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Explorers.exe
copy_folder
Explorers
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8S6SMR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Explorers
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
- Size
  
  145KB
- MD5
  
  2ef95efdbedb353a82497ab63aa39067
- SHA1
  
  a7784438c0ca3e37d63fc409435f6a5e96f73f41
- SHA256
  
  6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b
- SHA512
  
  1c053e93ffb29b7ef556e898650e447e8f3c101e5eb491fdd68adebc98434745b69fabf959db3d5fb0993b2be8c06f448d0b031de88024d7a4d37fdcab8dbfad
- SSDEEP
  
  3072:X3gonQnBpzMo4JPj5hMVXUgbRZlIwTqeq+3r7E4sf65NiJtmghrOy7BCRIVCNfD0:nDnyMVIZLT
Score

10^/10

remcos quote evasion persistence rat trojan redline infostealer stealer
- Detects Redline Stealer samples
  This rule detects the presence of Redline Stealer samples based on their unique strings.
  stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosquoteevasionpersistencerattrojan

behavioral2

redlineremcosquoteevasioninfostealerpersistenceratstealertrojan

© 2018-2025

Terms | Privacy