redline | f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1 | Triage

Sharing

General

Target

f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
Size

1.1MB
Sample

230514-xa3cdsdb39
MD5

d660aeb2d972c8e854e9699fa5ce3c41
SHA1

8e10b8a503de6ee01a59e22bc2a685a257c66c6a
SHA256

f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1
SHA512

a20806da00c093115178527517b3304e6651bb89f8f2af163c032019facdb8f7925d60e23a422912e1732e46fc81120a65208de015c558d2b27e155bbe1fae3a
SSDEEP

24576:jysODbGQ5Nq2FfvHdu5Zy2qoXGA5zCrnJ9ljZr/AXYVJeq9WsM:27bfNq2FffTkyJh0SJ99p

Score

10^/10

redline dogma terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dogma

C2

185.161.248.75:4132

Attributes

auth_value
d6c5d36e9aa03c956dc76aa0fcbe3639

Extracted

Family

redline

Botnet

terra

C2

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Targets

- Target
  
  f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
- Size
  
  1.1MB
- MD5
  
  d660aeb2d972c8e854e9699fa5ce3c41
- SHA1
  
  8e10b8a503de6ee01a59e22bc2a685a257c66c6a
- SHA256
  
  f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1
- SHA512
  
  a20806da00c093115178527517b3304e6651bb89f8f2af163c032019facdb8f7925d60e23a422912e1732e46fc81120a65208de015c558d2b27e155bbe1fae3a
- SSDEEP
  
  24576:jysODbGQ5Nq2FfvHdu5Zy2qoXGA5zCrnJ9ljZr/AXYVJeq9WsM:27bfNq2FffTkyJh0SJ99p
Score

10^/10

persistence redline dogma terra discovery evasion infostealer spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

redlinedogmaterradiscoveryevasioninfostealerpersistencespywarestealertrojan