redline | e08548a4f8e6abbc2675ac54063312984e61728fe4f08e79b9a710cbc13caacd | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e08548a4f8e6abbc2675ac54063312984e61728fe4f08e79b9a710cbc13caacd
Size

479KB
Sample

230508-vasf3sbf87
MD5

e1ca970c328e3b02651dcea14eb3e808
SHA1

a3044bd4c82565142847488ccbf7dee74a74e33e
SHA256

e08548a4f8e6abbc2675ac54063312984e61728fe4f08e79b9a710cbc13caacd
SHA512

9b02067f0116ae71972dd25abd8b58633317f46765985e48d0028bd79c005c3a5e9356c8a44c28ae802295e7d6ddb0d4d6f1658c3cd505176fba8bafcf1f19e9
SSDEEP

12288:qMrVy909s2CJWAK3t5dcq7D+IxQpC3UESplXh1GC9ZF:vyK3GK81MdOZLGk

Score

10^/10

redline maher discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maher

C2

217.196.96.101:4132

Attributes

auth_value
c57763165f68aabcf4874e661a1ffbac

Targets

- Target
  
  e08548a4f8e6abbc2675ac54063312984e61728fe4f08e79b9a710cbc13caacd
- Size
  
  479KB
- MD5
  
  e1ca970c328e3b02651dcea14eb3e808
- SHA1
  
  a3044bd4c82565142847488ccbf7dee74a74e33e
- SHA256
  
  e08548a4f8e6abbc2675ac54063312984e61728fe4f08e79b9a710cbc13caacd
- SHA512
  
  9b02067f0116ae71972dd25abd8b58633317f46765985e48d0028bd79c005c3a5e9356c8a44c28ae802295e7d6ddb0d4d6f1658c3cd505176fba8bafcf1f19e9
- SSDEEP
  
  12288:qMrVy909s2CJWAK3t5dcq7D+IxQpC3UESplXh1GC9ZF:vyK3GK81MdOZLGk
Score

10^/10

redline maher discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinemaherdiscoveryevasioninfostealerpersistencespywarestealertrojan