redline | db326b83d8aa896aabdd95fe7a75cc832e42749a3912647862cdbd93f44e6ffa | Triage

Sharing

General

Target

db326b83d8aa896aabdd95fe7a75cc832e42749a3912647862cdbd93f44e6ffa
Size

480KB
Sample

230509-1qpysaeb92
MD5

e3fb152b389a3a4797bf7d35eb4b0d61
SHA1

8c95fa504f835ef8f1940f8b8580bc238260e8eb
SHA256

db326b83d8aa896aabdd95fe7a75cc832e42749a3912647862cdbd93f44e6ffa
SHA512

dad3865a001d85b3729e3a8e20e9c9c7029e239c43780ffa48a11588955fc2a160a06aca99220ac4c994978862bedc10080db662f1b8da0b5c06c7daaa7dcd6a
SSDEEP

12288:bMrPy90XBqMVBBf3w9PUvL2XPQZT2TLoYCbt:kyvqB9fvL2/QZoMJ

Score

10^/10

redline dease discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dease

C2

217.196.96.101:4132

Attributes

auth_value
82e4d5f9abc21848e0345118814a4e6c

Targets

- Target
  
  db326b83d8aa896aabdd95fe7a75cc832e42749a3912647862cdbd93f44e6ffa
- Size
  
  480KB
- MD5
  
  e3fb152b389a3a4797bf7d35eb4b0d61
- SHA1
  
  8c95fa504f835ef8f1940f8b8580bc238260e8eb
- SHA256
  
  db326b83d8aa896aabdd95fe7a75cc832e42749a3912647862cdbd93f44e6ffa
- SHA512
  
  dad3865a001d85b3729e3a8e20e9c9c7029e239c43780ffa48a11588955fc2a160a06aca99220ac4c994978862bedc10080db662f1b8da0b5c06c7daaa7dcd6a
- SSDEEP
  
  12288:bMrPy90XBqMVBBf3w9PUvL2XPQZT2TLoYCbt:kyvqB9fvL2/QZoMJ
Score

10^/10

redline dease discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedeasediscoveryevasioninfostealerpersistencespywarestealertrojan