redline | aee23c5a743602a2416775e6e4170eee3df109876b9d91c4c8a659d2d834991a | Triage

Sharing

General

Target

aee23c5a743602a2416775e6e4170eee3df109876b9d91c4c8a659d2d834991a
Size

983KB
Sample

230525-f7yl2agb95
MD5

5dd5eaec7d4a9aa01f7c3ed9a52c55fc
SHA1

41621b61db26b296f3328f9dc1e637d8fb65382c
SHA256

aee23c5a743602a2416775e6e4170eee3df109876b9d91c4c8a659d2d834991a
SHA512

9d6c271b179490a4ad3935831b541b372ecaa0ceecda10c790dbe8313c597eede5b982e91b4dbf68c2302e3b1901eef659091042b7fe87a0e07d973dc5c827e6
SSDEEP

24576:jyBbyuPOr0C67eYxzHJiq6QTvTGCxh2m8kf5FhkfnkM:2cuPaieYCq1G2hb8GJF

Score

10^/10

redline haval maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.122:19062

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

haval

C2

83.97.73.122:19062

Attributes

auth_value
d23dec6813deb04eb8abd82657a9b0af

Targets

- Target
  
  aee23c5a743602a2416775e6e4170eee3df109876b9d91c4c8a659d2d834991a
- Size
  
  983KB
- MD5
  
  5dd5eaec7d4a9aa01f7c3ed9a52c55fc
- SHA1
  
  41621b61db26b296f3328f9dc1e637d8fb65382c
- SHA256
  
  aee23c5a743602a2416775e6e4170eee3df109876b9d91c4c8a659d2d834991a
- SHA512
  
  9d6c271b179490a4ad3935831b541b372ecaa0ceecda10c790dbe8313c597eede5b982e91b4dbf68c2302e3b1901eef659091042b7fe87a0e07d973dc5c827e6
- SSDEEP
  
  24576:jyBbyuPOr0C67eYxzHJiq6QTvTGCxh2m8kf5FhkfnkM:2cuPaieYCq1G2hb8GJF
Score

10^/10

redline haval maxi discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinehavalmaxidiscoveryevasioninfostealerpersistencespywarestealertrojan