redline | d31fb9de344d9e503cea09ab4858b8558d941f1cc5dadd356ff9db6fefd658cc | Triage

Sharing

Copy URL Twitter E-mail

General

Target

d31fb9de344d9e503cea09ab4858b8558d941f1cc5dadd356ff9db6fefd658cc
Size

1.0MB
Sample

230526-bmma2sdg91
MD5

2c33a6d2ae5c5a442f825708cd521553
SHA1

fc2d4ecc7a1e85efd505da19cc4b63859b710143
SHA256

d31fb9de344d9e503cea09ab4858b8558d941f1cc5dadd356ff9db6fefd658cc
SHA512

b27a1c8518afbcea3249e0f19977fd1a93504b04ded6f65bcd4e34b577a27b99521ebf5c12139889914f1e4ca0854504c37e61f1e193c6a3f16265bc1df0e219
SSDEEP

24576:wygXPoOyTrktL1YyAR30kNiM6P+FIe9dtC2qOjpci:3gV+Qt2yo3BiM6P+FIe9dtM6c

Score

10^/10

redline greg lina discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

C2

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

greg

C2

83.97.73.122:19062

Attributes

auth_value
4c966a90781c6b4ab7f512d018696362

Targets

- Target
  
  d31fb9de344d9e503cea09ab4858b8558d941f1cc5dadd356ff9db6fefd658cc
- Size
  
  1.0MB
- MD5
  
  2c33a6d2ae5c5a442f825708cd521553
- SHA1
  
  fc2d4ecc7a1e85efd505da19cc4b63859b710143
- SHA256
  
  d31fb9de344d9e503cea09ab4858b8558d941f1cc5dadd356ff9db6fefd658cc
- SHA512
  
  b27a1c8518afbcea3249e0f19977fd1a93504b04ded6f65bcd4e34b577a27b99521ebf5c12139889914f1e4ca0854504c37e61f1e193c6a3f16265bc1df0e219
- SSDEEP
  
  24576:wygXPoOyTrktL1YyAR30kNiM6P+FIe9dtC2qOjpci:3gV+Qt2yo3BiM6P+FIe9dtM6c
Score

10^/10

redline greg lina discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinegreglinadiscoveryevasioninfostealerpersistencespywarestealertrojan