redline | 5b58585c91aa5100968c030abc62639a4f7b16c89f8aa81ab5a0122312464b4d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

5b58585c91aa5100968c030abc62639a4f7b16c89f8aa81ab5a0122312464b4d.bin
Size

1.5MB
Sample

230506-1zpz5sce8v
MD5

0ac3721d21f2e11a6acbe453ed4f607f
SHA1

a47f24d77baf5091c77df083499a04709f303316
SHA256

5b58585c91aa5100968c030abc62639a4f7b16c89f8aa81ab5a0122312464b4d
SHA512

1e05867297029e5a4be5ef2fab0a0b602bf01fa73c8a52b9876a73a3e8352306a1af4b8c12609f3ab0dc138ebb4cb820033e276ad0fda71bf1c48bbcbe9fb4e7
SSDEEP

24576:3yQ/QP25Y8MubHyntF7A/xl/Bp87taM+QdVmJg2VExZyPVm2sKeo:C8QP4YIsttAZvp870NQdspEZy9qj

Score

10^/10

redline gena most evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Targets

- Target
  
  5b58585c91aa5100968c030abc62639a4f7b16c89f8aa81ab5a0122312464b4d.bin
- Size
  
  1.5MB
- MD5
  
  0ac3721d21f2e11a6acbe453ed4f607f
- SHA1
  
  a47f24d77baf5091c77df083499a04709f303316
- SHA256
  
  5b58585c91aa5100968c030abc62639a4f7b16c89f8aa81ab5a0122312464b4d
- SHA512
  
  1e05867297029e5a4be5ef2fab0a0b602bf01fa73c8a52b9876a73a3e8352306a1af4b8c12609f3ab0dc138ebb4cb820033e276ad0fda71bf1c48bbcbe9fb4e7
- SSDEEP
  
  24576:3yQ/QP25Y8MubHyntF7A/xl/Bp87taM+QdVmJg2VExZyPVm2sKeo:C8QP4YIsttAZvp870NQdspEZy9qj
Score

10^/10

redline gena most evasion infostealer persistence trojan stealer
- Detects Redline Stealer samples
  This rule detects the presence of Redline Stealer samples based on their unique strings.
  stealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinegenamostevasioninfostealerpersistencetrojan

behavioral2

redlinegenamostevasioninfostealerpersistencestealertrojan