redline | 96c756e98e7450f83927f62ab06fb7b552dbe454bae1a97a7b22cd866398b5de | Triage

Sharing

General

Target

189fe82cc89ca2b3586e9e9b87333388.exe
Size

488KB
Sample

230510-zgewsaca3s
MD5

189fe82cc89ca2b3586e9e9b87333388
SHA1

9b677d710ea409a14a75098c4e040a3df9b8bd36
SHA256

96c756e98e7450f83927f62ab06fb7b552dbe454bae1a97a7b22cd866398b5de
SHA512

0a8ddf0e18dccb86a1b976a659315f0969fe4d14bb63eea7e6419ea0c99dbb2fecec8acedad45e3c0ae6d5327a5c339cf260b105d206499fcf750a44429b2825
SSDEEP

12288:9Mrby90xez70tQ2Q9AJuBFUGRvndP1PeUEn6:myRJ2Q9AJUuGR/PeUv

Score

10^/10

redline misik discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

misik

C2

217.196.96.102:4132

Attributes

auth_value
9133827666bc8f4b05339316460b08aa

Targets

- Target
  
  189fe82cc89ca2b3586e9e9b87333388.exe
- Size
  
  488KB
- MD5
  
  189fe82cc89ca2b3586e9e9b87333388
- SHA1
  
  9b677d710ea409a14a75098c4e040a3df9b8bd36
- SHA256
  
  96c756e98e7450f83927f62ab06fb7b552dbe454bae1a97a7b22cd866398b5de
- SHA512
  
  0a8ddf0e18dccb86a1b976a659315f0969fe4d14bb63eea7e6419ea0c99dbb2fecec8acedad45e3c0ae6d5327a5c339cf260b105d206499fcf750a44429b2825
- SSDEEP
  
  12288:9Mrby90xez70tQ2Q9AJuBFUGRvndP1PeUEn6:myRJ2Q9AJUuGR/PeUv
Score

10^/10

redline misik discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinemisikdiscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

redlinemisikdiscoveryevasioninfostealerpersistencespywarestealertrojan