redline | 61071812b3307184c0f04b053d367d477b98fec1d857c8f23f1502f0f43bd1a5 | Triage

Sharing

General

Target

61071812b3307184c0f04b053d367d477b98fec1d857c8f23f1502f0f43bd1a5
Size

983KB
Sample

230525-c7p34sgc5t
MD5

9cc731cd92badaff73f62dcde7cfe76d
SHA1

aebbfb76f20e49c2562c993d9adb7ae7eb82a82e
SHA256

61071812b3307184c0f04b053d367d477b98fec1d857c8f23f1502f0f43bd1a5
SHA512

5ec2c4d7bba9928b23b4f8a6c674c977939d7a2880d6133c8bb05cd17dcdd8640bf257f0be82a2bba74e46ff80b25b7683c6b6d96634516be0a7069d9176e456
SSDEEP

24576:Ny0AolmsblI/NnDfpWt3rSA0reF1TGToh6USLFLkfFHl:oqlNlI5fpWtCaG0h6US9

Score

10^/10

redline diza haval discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.122:19062

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

haval

C2

83.97.73.122:19062

Attributes

auth_value
d23dec6813deb04eb8abd82657a9b0af

Targets

- Target
  
  61071812b3307184c0f04b053d367d477b98fec1d857c8f23f1502f0f43bd1a5
- Size
  
  983KB
- MD5
  
  9cc731cd92badaff73f62dcde7cfe76d
- SHA1
  
  aebbfb76f20e49c2562c993d9adb7ae7eb82a82e
- SHA256
  
  61071812b3307184c0f04b053d367d477b98fec1d857c8f23f1502f0f43bd1a5
- SHA512
  
  5ec2c4d7bba9928b23b4f8a6c674c977939d7a2880d6133c8bb05cd17dcdd8640bf257f0be82a2bba74e46ff80b25b7683c6b6d96634516be0a7069d9176e456
- SSDEEP
  
  24576:Ny0AolmsblI/NnDfpWt3rSA0reF1TGToh6USLFLkfFHl:oqlNlI5fpWtCaG0h6US9
Score

10^/10

redline diza haval discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedizahavaldiscoveryevasioninfostealerpersistencespywarestealertrojan