redline

General

Target

b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee
Size

1.1MB
Sample

230514-vxqwrsce96
MD5

eb58c15600f974d7beb1cf404fadc2da
SHA1

11e27de8b96d8e8f968ab0ebd9f532218b321ebc
SHA256

b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee
SHA512

519830019371ab5848e57fe079b9b9dc46099b84b59f0e87bb87b3c8ceebe8f866f4653e2a9968cd33746404c8bb392fcf09891c59e20acc701ea3b360fb4859
SSDEEP

24576:ryqsz6bhFwBq0tK0EZ5Tw8H3d0G59jYHtQUcdB9BkKAqbShe83u8z9Z:eqccXGK0EZJwA3d0e9EuUcJBkKAy383F

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

larry

C2

185.161.248.75:4132

Attributes

auth_value
9039557bb7a08f5f2f60e2b71e1dee0e

Extracted

Family

redline

Botnet

warum

C2

185.161.248.75:4132

Attributes

auth_value
0bdb2dda91dadc65f555dee088a6a2a4

Targets

- Target
  
  b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee
- Size
  
  1.1MB
- MD5
  
  eb58c15600f974d7beb1cf404fadc2da
- SHA1
  
  11e27de8b96d8e8f968ab0ebd9f532218b321ebc
- SHA256
  
  b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee
- SHA512
  
  519830019371ab5848e57fe079b9b9dc46099b84b59f0e87bb87b3c8ceebe8f866f4653e2a9968cd33746404c8bb392fcf09891c59e20acc701ea3b360fb4859
- SSDEEP
  
  24576:ryqsz6bhFwBq0tK0EZ5Tw8H3d0G59jYHtQUcdB9BkKAqbShe83u8z9Z:eqccXGK0EZJwA3d0e9EuUcJBkKAy383F
Score

10^/10

redline vjw0rm wshrat larry warum discovery evasion infostealer persistence spyware stealer trojan worm
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1