redline | 6ee5e532299000ef6b612842abe2ec3b94f3ac4512dffda2f44d94d83ad1cec5 | Triage

Sharing

General

Target

6ee5e532299000ef6b612842abe2ec3b94f3ac4512dffda2f44d94d83ad1cec5
Size

1.1MB
Sample

230514-13k6csdg35
MD5

736358b77593988601fea41c8cbf40ff
SHA1

c1a2c65f960d90a89e2c02dc950dade5fd36aa37
SHA256

6ee5e532299000ef6b612842abe2ec3b94f3ac4512dffda2f44d94d83ad1cec5
SHA512

62fc8de994b6e707fb7ef93f13436e6ca7c5632d9fa05c0f9e3bdba18473cf27a3b433b444ed18ab2496ebbd253dff1ae571ad222b74d68e4f8ad69d55c37017
SSDEEP

24576:Kyi1CqocWLF4hz6Ffru5BJ6l/i6/f8pUcmDj51Zbmt5jW:RqLB04RIru5BJ2Zf8pUt15m5j

Score

10^/10

redline horor linda discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Extracted

Family

redline

Botnet

horor

C2

185.161.248.75:4132

Attributes

auth_value
b8d506fe48db15c38fb031d07f42d529

Targets

- Target
  
  6ee5e532299000ef6b612842abe2ec3b94f3ac4512dffda2f44d94d83ad1cec5
- Size
  
  1.1MB
- MD5
  
  736358b77593988601fea41c8cbf40ff
- SHA1
  
  c1a2c65f960d90a89e2c02dc950dade5fd36aa37
- SHA256
  
  6ee5e532299000ef6b612842abe2ec3b94f3ac4512dffda2f44d94d83ad1cec5
- SHA512
  
  62fc8de994b6e707fb7ef93f13436e6ca7c5632d9fa05c0f9e3bdba18473cf27a3b433b444ed18ab2496ebbd253dff1ae571ad222b74d68e4f8ad69d55c37017
- SSDEEP
  
  24576:Kyi1CqocWLF4hz6Ffru5BJ6l/i6/f8pUcmDj51Zbmt5jW:RqLB04RIru5BJ2Zf8pUt15m5j
Score

10^/10

redline horor linda discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinehororlindadiscoveryevasioninfostealerpersistencespywarestealertrojan