redline | beb8abeef3561a5707d3c25885b2a3cb1eb5f1a9e8a6633e82a10c3355c219a9 | Triage

Sharing

General

Target

e1c167185238788680e0bfd0e5b1a5d7.bin
Size

436KB
Sample

230508-cdeehsge89
MD5

8feeaa73e1c7e9bd8d1b64c05f59babf
SHA1

346d35040ca5ac113147994b10bfa1ca66545f82
SHA256

beb8abeef3561a5707d3c25885b2a3cb1eb5f1a9e8a6633e82a10c3355c219a9
SHA512

2e589c1c06cd5a0ee51384a8919b7ef78ca4fd26384911fbed65ed9f57847c3eed66af79dddaaff8406035dc711d0dec0fd0f86d27d857644d4a3121dd69ebe3
SSDEEP

12288:03O3M5/3hbbL7uJJQyujguAp5htGWW0rW:03/5/dbLiiZY5X4mW

Score

10^/10

redline dariy discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dariy

C2

217.196.96.101:4132

Attributes

auth_value
2f34aa0d1cb1023a826825b68ebedcc8

Targets

- Target
  
  ead04de753faea0871b59e842bb68274e26b06b72ac50336be703ff10b4e224e.exe
- Size
  
  480KB
- MD5
  
  e1c167185238788680e0bfd0e5b1a5d7
- SHA1
  
  265c00bf43be0ce21eaa8f8f3b1d242b33d98f9a
- SHA256
  
  ead04de753faea0871b59e842bb68274e26b06b72ac50336be703ff10b4e224e
- SHA512
  
  f718a55a15dbde5e23e8d72cac4d9eef2317975e480d19dd688f9022e7e338ff13e41cd83eeb704835e0392a5c3f3c7336b804bc8b95b2cf32b9d7190d291fbf
- SSDEEP
  
  12288:kMroy90EewJUdRLUCK3cdxLdTz7KnY0exX75Sbgy:syjeNnLbK+dTz7yaX75Sbgy
Score

10^/10

redline dariy discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedariydiscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

redlinedariydiscoveryevasioninfostealerpersistencespywarestealertrojan