redline | 67e2ed7bf15aa61396794bc48623e14f4f69401b8bf4f9ed9e1fff7d10019920 | Triage

Sharing

General

Target

67e2ed7bf15aa61396794bc48623e14f4f69401b8bf4f9ed9e1fff7d10019920
Size

1.1MB
Sample

230513-jcv47sfg49
MD5

57098189c9ac0035b8d01948654fd88e
SHA1

c13d0ac4885280f8de54bd6ffaa9c276cd1a9d92
SHA256

67e2ed7bf15aa61396794bc48623e14f4f69401b8bf4f9ed9e1fff7d10019920
SHA512

8b1e68c065dfa3dc5cc8990c9bfe4642c870fe7aa4477de5e66f586f6b51163d12cccacc8edc9325534a1d8f274c82633ca232a035cde08971c844c49543fd9e
SSDEEP

24576:vyCJKUY/fRnhGN9+EPM8K9RyLtKhjSpK/7Od/8hzjAkCxkxp:6n3BhGn+gM19RyJKh8pWVx

Score

10^/10

redline doma joana discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Extracted

Family

redline

Botnet

joana

C2

185.161.248.75:4132

Attributes

auth_value
85090ed112d639bb782481da2912487a

Targets

- Target
  
  67e2ed7bf15aa61396794bc48623e14f4f69401b8bf4f9ed9e1fff7d10019920
- Size
  
  1.1MB
- MD5
  
  57098189c9ac0035b8d01948654fd88e
- SHA1
  
  c13d0ac4885280f8de54bd6ffaa9c276cd1a9d92
- SHA256
  
  67e2ed7bf15aa61396794bc48623e14f4f69401b8bf4f9ed9e1fff7d10019920
- SHA512
  
  8b1e68c065dfa3dc5cc8990c9bfe4642c870fe7aa4477de5e66f586f6b51163d12cccacc8edc9325534a1d8f274c82633ca232a035cde08971c844c49543fd9e
- SSDEEP
  
  24576:vyCJKUY/fRnhGN9+EPM8K9RyLtKhjSpK/7Od/8hzjAkCxkxp:6n3BhGn+gM19RyJKh8pWVx
Score

10^/10

redline doma joana discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedomajoanadiscoveryevasioninfostealerpersistencespywarestealertrojan