redline | 4438a1e5129ff8cc9924ab2b41f43a45e8a60fed31d70926cdb73a94ce7db49c | Triage

Sharing

General

Target

07095799.exe
Size

767KB
Sample

230525-x9f87scg2s
MD5

8ac19d5d84f48fe82fb86b94b993218a
SHA1

71c4acd571eb37ab6e91d427a7f15dd8dbb5ab47
SHA256

4438a1e5129ff8cc9924ab2b41f43a45e8a60fed31d70926cdb73a94ce7db49c
SHA512

dc93678b94fc2fedca38110e567c63d6db65a75eb193112202fda29f32eebb32b535b6bc2e22ee444cdac3c8cc66a1fda388953761b0adb362ec5d79c3f88f9a
SSDEEP

12288:0Mr/y905mVtuTO52trh5k0qrVwb7yIF3DKnRW62WxD9nkBmq0R0B4lDj0XROZ3sT:TyQmVt4rh5eVSJDKRdJCmqvB4BF3s0kf

Score

10^/10

redline dina greg discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dina

C2

83.97.73.122:19062

Attributes

auth_value
4f77073adc624269de1bff760b9bc471

Extracted

Family

redline

Botnet

greg

C2

83.97.73.122:19062

Attributes

auth_value
4c966a90781c6b4ab7f512d018696362

Targets

- Target
  
  07095799.exe
- Size
  
  767KB
- MD5
  
  8ac19d5d84f48fe82fb86b94b993218a
- SHA1
  
  71c4acd571eb37ab6e91d427a7f15dd8dbb5ab47
- SHA256
  
  4438a1e5129ff8cc9924ab2b41f43a45e8a60fed31d70926cdb73a94ce7db49c
- SHA512
  
  dc93678b94fc2fedca38110e567c63d6db65a75eb193112202fda29f32eebb32b535b6bc2e22ee444cdac3c8cc66a1fda388953761b0adb362ec5d79c3f88f9a
- SSDEEP
  
  12288:0Mr/y905mVtuTO52trh5k0qrVwb7yIF3DKnRW62WxD9nkBmq0R0B4lDj0XROZ3sT:TyQmVt4rh5eVSJDKRdJCmqvB4BF3s0kf
Score

10^/10

redline dina greg discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedinagregdiscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

redlinedinagregdiscoveryevasioninfostealerpersistencespywarestealertrojan