redline | 39e8ab3160c4696f42567f5bca7ceade005e2f9a1101895eeb2d24a78445c9b6 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

39e8ab3160c4696f42567f5bca7ceade005e2f9a1101895eeb2d24a78445c9b6
Size

1.1MB
Sample

230515-lz2xdafg22
MD5

b0dc6a12317225270586bfd0b2ded256
SHA1

c64af00510861a5f8ffb7af41be7b1c0bc396652
SHA256

39e8ab3160c4696f42567f5bca7ceade005e2f9a1101895eeb2d24a78445c9b6
SHA512

6734eb9dfd13ef72c225784b47e89ce6ea16affdecadcbf73cbf4d9cc0f963a8be417ea888f9902fb2bfaa3cdf23d94bdc075372261f4c3540cd28b7cf437687
SSDEEP

24576:LyDoQFZmR3rEJ8c/KqRaj8+vTlfQ/gnYY7/Y/rD:+DWl+hRK9nYY7w/r

Score

10^/10

redline lays manka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lays

C2

185.161.248.75:4132

Attributes

auth_value
239cb507c4bb32e630b1bee63365fe29

Extracted

Family

redline

Botnet

manka

C2

185.161.248.75:4132

Attributes

auth_value
d94715c55e1c02ef0aa67081d47a0c1f

Targets

- Target
  
  39e8ab3160c4696f42567f5bca7ceade005e2f9a1101895eeb2d24a78445c9b6
- Size
  
  1.1MB
- MD5
  
  b0dc6a12317225270586bfd0b2ded256
- SHA1
  
  c64af00510861a5f8ffb7af41be7b1c0bc396652
- SHA256
  
  39e8ab3160c4696f42567f5bca7ceade005e2f9a1101895eeb2d24a78445c9b6
- SHA512
  
  6734eb9dfd13ef72c225784b47e89ce6ea16affdecadcbf73cbf4d9cc0f963a8be417ea888f9902fb2bfaa3cdf23d94bdc075372261f4c3540cd28b7cf437687
- SSDEEP
  
  24576:LyDoQFZmR3rEJ8c/KqRaj8+vTlfQ/gnYY7/Y/rD:+DWl+hRK9nYY7w/r
Score

10^/10

redline lays manka discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinelaysmankadiscoveryevasioninfostealerpersistencespywarestealertrojan