redline | 20ef12c3cf75d4939f98c5dcb7887046b8e709240c334f5654e7fba9e09e6d54 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

20ef12c3cf75d4939f98c5dcb7887046b8e709240c334f5654e7fba9e09e6d54.bin
Size

810KB
Sample

230506-zq3dfafg5v
MD5

684b32ec62c1fa371788a7d6f879a8e0
SHA1

bbc3626a8e873035fd2b5426ab27b17a2adcd260
SHA256

20ef12c3cf75d4939f98c5dcb7887046b8e709240c334f5654e7fba9e09e6d54
SHA512

e59fb114af0bbb1d0ddf776136f678d3fc84f7d824db3972b18f1598bac6a4dd69c4587f891782a97d161b0bee9ea61d87c36d32d964350992033a71ca97e4e8
SSDEEP

24576:zydA1VOIiLNAk0MRBRzxjZa2g81fvm9MH4pp:GdeZCNAk11FU81fvRYp

Score

10^/10

redline dark gena evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Targets

- Target
  
  20ef12c3cf75d4939f98c5dcb7887046b8e709240c334f5654e7fba9e09e6d54.bin
- Size
  
  810KB
- MD5
  
  684b32ec62c1fa371788a7d6f879a8e0
- SHA1
  
  bbc3626a8e873035fd2b5426ab27b17a2adcd260
- SHA256
  
  20ef12c3cf75d4939f98c5dcb7887046b8e709240c334f5654e7fba9e09e6d54
- SHA512
  
  e59fb114af0bbb1d0ddf776136f678d3fc84f7d824db3972b18f1598bac6a4dd69c4587f891782a97d161b0bee9ea61d87c36d32d964350992033a71ca97e4e8
- SSDEEP
  
  24576:zydA1VOIiLNAk0MRBRzxjZa2g81fvm9MH4pp:GdeZCNAk11FU81fvRYp
Score

10^/10

redline dark gena evasion infostealer persistence trojan stealer
- Detects Redline Stealer samples
  This rule detects the presence of Redline Stealer samples based on their unique strings.
  stealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedarkgenaevasioninfostealerpersistencetrojan

behavioral2

redlinedarkgenaevasioninfostealerpersistencestealertrojan