redline | 59d70080bc8b14928a0017a928f7c6a49add7999d5af91186c1aa0a0ed0b4b35 | Triage

Sharing

General

Target

59d70080bc8b14928a0017a928f7c6a49add7999d5af91186c1aa0a0ed0b4b35
Size

1.0MB
Sample

230602-lr2awaah33
MD5

1388aacc25dfbc101aae0dc59aecc8c4
SHA1

c439bd892d3350637ca85637b9ba67bd488de3a1
SHA256

59d70080bc8b14928a0017a928f7c6a49add7999d5af91186c1aa0a0ed0b4b35
SHA512

0dfcbbfd6f2fb8b16d32ef49ac0fd01f612fd14e9c13e6e2f0bf76d06e01c72d9246eee6558fa53d589c0ff6240f8e18bff351ed39a64025057d0a48a32b8cee
SSDEEP

24576:OylGVZIcSJFN2ubbD7dS8IvPVaoscJ3Lg2qIN8:dloZIcSJKuDA8IvPVaZC3LgDIN

Score

10^/10

redline grom lars discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lars

C2

83.97.73.127:19045

Attributes

auth_value
8b06149cdaa5b5a4c6c7b3663f19e609

Extracted

Family

redline

Botnet

grom

C2

83.97.73.127:19045

Attributes

auth_value
2193aac8692a5e1ec66d9db9fa25ee00

Targets

- Target
  
  59d70080bc8b14928a0017a928f7c6a49add7999d5af91186c1aa0a0ed0b4b35
- Size
  
  1.0MB
- MD5
  
  1388aacc25dfbc101aae0dc59aecc8c4
- SHA1
  
  c439bd892d3350637ca85637b9ba67bd488de3a1
- SHA256
  
  59d70080bc8b14928a0017a928f7c6a49add7999d5af91186c1aa0a0ed0b4b35
- SHA512
  
  0dfcbbfd6f2fb8b16d32ef49ac0fd01f612fd14e9c13e6e2f0bf76d06e01c72d9246eee6558fa53d589c0ff6240f8e18bff351ed39a64025057d0a48a32b8cee
- SSDEEP
  
  24576:OylGVZIcSJFN2ubbD7dS8IvPVaoscJ3Lg2qIN8:dloZIcSJKuDA8IvPVaZC3LgDIN
Score

10^/10

redline grom lars discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinegromlarsdiscoveryevasioninfostealerpersistencespywarestealertrojan