redline | 4183b876a8505780698f05d98169007a212816a194dc2daf4802dc351aa6535a | Triage

Sharing

General

Target

4183b876a8505780698f05d98169007a212816a194dc2daf4802dc351aa6535a
Size

1.1MB
Sample

230515-f8d9sahb71
MD5

6ebca2a77054da695d23d99488a9c573
SHA1

510ccb61f13c0c68a285d5dc3e58c4f836c1dd02
SHA256

4183b876a8505780698f05d98169007a212816a194dc2daf4802dc351aa6535a
SHA512

1e103fa2b733ea995af6dfaaff6d8e795abf1668bd9fbdc1d63a10aef5f8d594254386fce9ff1ea4c913f130eb06d51856d5f54b78413b9ed821f3f13664f146
SSDEEP

24576:tyc2UCSTgKddXMGWS0kPG4nTXSaBr932tNCKoNFvn9mYgfwgRaB:IgvgKddXkS0kemd1IgJNl9mmgRa

Score

10^/10

redline horor lopuh discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lopuh

C2

185.161.248.75:4132

Attributes

auth_value
5852b05de9da526581993068a4e7e915

Extracted

Family

redline

Botnet

horor

C2

185.161.248.75:4132

Attributes

auth_value
b8d506fe48db15c38fb031d07f42d529

Targets

- Target
  
  4183b876a8505780698f05d98169007a212816a194dc2daf4802dc351aa6535a
- Size
  
  1.1MB
- MD5
  
  6ebca2a77054da695d23d99488a9c573
- SHA1
  
  510ccb61f13c0c68a285d5dc3e58c4f836c1dd02
- SHA256
  
  4183b876a8505780698f05d98169007a212816a194dc2daf4802dc351aa6535a
- SHA512
  
  1e103fa2b733ea995af6dfaaff6d8e795abf1668bd9fbdc1d63a10aef5f8d594254386fce9ff1ea4c913f130eb06d51856d5f54b78413b9ed821f3f13664f146
- SSDEEP
  
  24576:tyc2UCSTgKddXMGWS0kPG4nTXSaBr932tNCKoNFvn9mYgfwgRaB:IgvgKddXkS0kemd1IgJNl9mmgRa
Score

10^/10

redline horor lopuh discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinehororlopuhdiscoveryevasioninfostealerpersistencespywarestealertrojan