redline | e265bf051d26a8e12e05c035421e0070518f632d25f93e6f4b2b8b82e24a8e87 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e265bf051d26a8e12e05c035421e0070518f632d25f93e6f4b2b8b82e24a8e87
Size

134KB
Sample

230508-h6368she25
MD5

11554bbce3429ae5dd3d4429413a2ca6
SHA1

366b317b780223d3605cf620dce067367e68a7df
SHA256

e265bf051d26a8e12e05c035421e0070518f632d25f93e6f4b2b8b82e24a8e87
SHA512

d9e4be8e5610c1532a273738f23becd1f6a63cc1926c26b99663ec0061c97bc34632d81e73183325fe587567a3209beadec6eccfc092636e337836d64ffba151
SSDEEP

3072:5bGd7ZAwOmKUnXY71UAMw3ada0xsEj+ED:pGdVAw9XY7z3P0xsEj+o

Score

10^/10

redline [ pro ]evasion infostealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/ss.png

Extracted

Family

redline

Botnet

[ PRO ]

C2

185.161.248.16:26885

Attributes

auth_value
b4958da54d1cdd9d9b28330afda1cc3c

Targets

- Target
  
  e265bf051d26a8e12e05c035421e0070518f632d25f93e6f4b2b8b82e24a8e87
- Size
  
  134KB
- MD5
  
  11554bbce3429ae5dd3d4429413a2ca6
- SHA1
  
  366b317b780223d3605cf620dce067367e68a7df
- SHA256
  
  e265bf051d26a8e12e05c035421e0070518f632d25f93e6f4b2b8b82e24a8e87
- SHA512
  
  d9e4be8e5610c1532a273738f23becd1f6a63cc1926c26b99663ec0061c97bc34632d81e73183325fe587567a3209beadec6eccfc092636e337836d64ffba151
- SSDEEP
  
  3072:5bGd7ZAwOmKUnXY71UAMw3ada0xsEj+ED:pGdVAw9XY7z3P0xsEj+o
Score

10^/10

redline [ pro ]evasion infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

redline[ pro ]evasioninfostealer