redline | 204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1
Size

1.1MB
Sample

230513-amvrraeh66
MD5

b82cce803d0ff0752b2858f42216a916
SHA1

a837ddf1c64d83e7bd31db63ddca7be02a1da5c9
SHA256

204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1
SHA512

27eb040b3233088b45b7e33c47501b41e8ed0e3d52b6c344d33332a1cbf0a56bcde6422a8072beb1e4abc925d9e6c023e0e1df2365c3ce2a04e6ac1bdef18cc2
SSDEEP

24576:4yS73Ehpoh0scJz4UYD2HygOfLMlh0vp7XpCNVQB:/S70bE0YdwhXVQ

Score

10^/10

redline doma joana discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Extracted

Family

redline

Botnet

joana

C2

185.161.248.75:4132

Attributes

auth_value
85090ed112d639bb782481da2912487a

Targets

- Target
  
  204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1
- Size
  
  1.1MB
- MD5
  
  b82cce803d0ff0752b2858f42216a916
- SHA1
  
  a837ddf1c64d83e7bd31db63ddca7be02a1da5c9
- SHA256
  
  204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1
- SHA512
  
  27eb040b3233088b45b7e33c47501b41e8ed0e3d52b6c344d33332a1cbf0a56bcde6422a8072beb1e4abc925d9e6c023e0e1df2365c3ce2a04e6ac1bdef18cc2
- SSDEEP
  
  24576:4yS73Ehpoh0scJz4UYD2HygOfLMlh0vp7XpCNVQB:/S70bE0YdwhXVQ
Score

10^/10

redline doma joana discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedomajoanadiscoveryevasioninfostealerpersistencespywarestealertrojan