redline | 4023dbb03db6840a5495a07e7560a44d8182ca6195123f182329a9b0cc460229 | Triage

Sharing

General

Target

8f691a045fa489404880439dd6d44221.bin
Size

1.1MB
Sample

230515-b1zhjagf2x
MD5

e7ed76cae76ba5b0039d6a8d8af207d4
SHA1

4b5bdf351dc9046164ba309e77fb9aa77c96628f
SHA256

4023dbb03db6840a5495a07e7560a44d8182ca6195123f182329a9b0cc460229
SHA512

3a9f2592aeff81fe77a94b6d6abaf0a7e488d50655b612b3c0ccef0d2767a9296436abbba27fa04056485e6ce91746aac17dec34924bd6438f2641d003b019f2
SSDEEP

24576:iY5sFBD8J3jah8sKUT9+tNIPdsOyX5+dFTtEkyuXX2p1R43:iY5sn03jahFKUgtNIPkXkpXsS

Score

10^/10

redline motor terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

motor

C2

185.161.248.75:4132

Attributes

auth_value
ec19ab9989a783983c5cbbc0e5ac4a5f

Extracted

Family

redline

Botnet

terra

C2

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Targets

- Target
  
  c195813c98544ae1cd059056f1bc2ac6f58506704648011dce21095db25f7c47.exe
- Size
  
  1.1MB
- MD5
  
  8f691a045fa489404880439dd6d44221
- SHA1
  
  152d5a5a3a1a36a118510e7e570270eadf448c0e
- SHA256
  
  c195813c98544ae1cd059056f1bc2ac6f58506704648011dce21095db25f7c47
- SHA512
  
  cf897996af44538b978a56af9865e2e53fb06041067eb8c032bc5d74ab8f76f9b56873b6e20ba20cca72bfb1870047559a9380465a9baa5656ffbbd426a48c04
- SSDEEP
  
  24576:nyR9QiO+l6KnAJrbqkKH7a5B+1hrjQF85yqJGrFEVpSWl58di7YC:yR9Q+lZARbqxH7a5B+1hfQF859kpEVt6
Score

10^/10

redline motor terra discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinemotorterradiscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

redlinemotorterradiscoveryevasioninfostealerpersistencespywarestealertrojan