redline | 31908da4ef1c61b93a3e73612b1cbbdbcfe293e84f83899a9ae3e99c5c4d9b7a | Triage

Sharing

Copy URL Twitter E-mail

General

Target

31908da4ef1c61b93a3e73612b1cbbdbcfe293e84f83899a9ae3e99c5c4d9b7a
Size

1.1MB
Sample

230516-yaerrscc28
MD5

b181f12df098a48602b60ff1746fe58b
SHA1

e3179a04c9f0f901714ddb8c8f5d6cbb7bb0bf1d
SHA256

31908da4ef1c61b93a3e73612b1cbbdbcfe293e84f83899a9ae3e99c5c4d9b7a
SHA512

a3a94ba7144e35b0880eff2d63c644fda9691756f218c4c8d3339a7e1fa2438144e5c7f0bc1eab0cfad06dbbe99622eaa1ca109bb3b59ddfd1cc3c7f8c065195
SSDEEP

12288:BMrXy90FhVnUmHA9WHC3VjWBHjd8c73p5yDr/uTLCOrMg+OqaqxJbh/g7nwWF6HK:GyaUAHC03aDeCOrMgcnwnwM+X1kG2R7

Score

10^/10

redline desto jacks discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

desto

C2

185.161.248.75:4132

Attributes

auth_value
9170d4ae7d11eaa24684a71b73bf9c86

Extracted

Family

redline

Botnet

jacks

C2

185.161.248.75:4132

Attributes

auth_value
f435940ea8063e31431e7d1a8348e11f

Targets

- Target
  
  31908da4ef1c61b93a3e73612b1cbbdbcfe293e84f83899a9ae3e99c5c4d9b7a
- Size
  
  1.1MB
- MD5
  
  b181f12df098a48602b60ff1746fe58b
- SHA1
  
  e3179a04c9f0f901714ddb8c8f5d6cbb7bb0bf1d
- SHA256
  
  31908da4ef1c61b93a3e73612b1cbbdbcfe293e84f83899a9ae3e99c5c4d9b7a
- SHA512
  
  a3a94ba7144e35b0880eff2d63c644fda9691756f218c4c8d3339a7e1fa2438144e5c7f0bc1eab0cfad06dbbe99622eaa1ca109bb3b59ddfd1cc3c7f8c065195
- SSDEEP
  
  12288:BMrXy90FhVnUmHA9WHC3VjWBHjd8c73p5yDr/uTLCOrMg+OqaqxJbh/g7nwWF6HK:GyaUAHC03aDeCOrMgcnwnwM+X1kG2R7
Score

10^/10

redline desto jacks discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedestojacksdiscoveryevasioninfostealerpersistencespywarestealertrojan