redline | 9c048ce18b0977204dd263c68241101f187d72e12db7603deae7646fbc4b1981 | Triage

Sharing

General

Target

9c048ce18b0977204dd263c68241101f187d72e12db7603deae7646fbc4b1981
Size

1.1MB
Sample

230515-lhka1aff43
MD5

85a56a92f9dd024ed1d2cc8b9b25adb1
SHA1

0681dc99f70abee0b8e612eca612d94724e743d6
SHA256

9c048ce18b0977204dd263c68241101f187d72e12db7603deae7646fbc4b1981
SHA512

f7a20b132fb2301f933e23bcfa3bf6ee1881398a8e8f0b06cdfe9c023632f565353cfb05ffa353c68a30673e8bda96bc0cae4173f127f366d31efcb1f6a356b9
SSDEEP

24576:yyKgX4yO/OCt9fSQF9jcjjDBdSniRO7QGvgnTpnw/Ccv:ZkVbfSq6V4iRzGvWw/C

Score

10^/10

redline lays manka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lays

C2

185.161.248.75:4132

Attributes

auth_value
239cb507c4bb32e630b1bee63365fe29

Extracted

Family

redline

Botnet

manka

C2

185.161.248.75:4132

Attributes

auth_value
d94715c55e1c02ef0aa67081d47a0c1f

Targets

- Target
  
  9c048ce18b0977204dd263c68241101f187d72e12db7603deae7646fbc4b1981
- Size
  
  1.1MB
- MD5
  
  85a56a92f9dd024ed1d2cc8b9b25adb1
- SHA1
  
  0681dc99f70abee0b8e612eca612d94724e743d6
- SHA256
  
  9c048ce18b0977204dd263c68241101f187d72e12db7603deae7646fbc4b1981
- SHA512
  
  f7a20b132fb2301f933e23bcfa3bf6ee1881398a8e8f0b06cdfe9c023632f565353cfb05ffa353c68a30673e8bda96bc0cae4173f127f366d31efcb1f6a356b9
- SSDEEP
  
  24576:yyKgX4yO/OCt9fSQF9jcjjDBdSniRO7QGvgnTpnw/Ccv:ZkVbfSq6V4iRzGvWw/C
Score

10^/10

redline lays manka discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinelaysmankadiscoveryevasioninfostealerpersistencespywarestealertrojan