redline | 2f6b3652755a543ea210f569239332ef8d7d5b497d1def67c498ed8e18efdf18 | Triage

Sharing

General

Target

2f6b3652755a543ea210f569239332ef8d7d5b497d1def67c498ed8e18efdf18
Size

785KB
Sample

230602-pms1gsbf9x
MD5

eaa783470f8a042d80746403a55f925b
SHA1

e4a5773cc1a4e4e805a683ce9a9f115ea578a04e
SHA256

2f6b3652755a543ea210f569239332ef8d7d5b497d1def67c498ed8e18efdf18
SHA512

393c97ac5c226cb4b4f928a35a8a69ab2f453e5675428d951c85288852bcbfb90fa1b49393c4fbf42c58724ac3f31cd5c0c773fa15e28e407aec45f554581f42
SSDEEP

12288:BMr/y90CK7J8ZxQyOX4fKyWzE3taXQ0RA5hXM4gEagteJgFVEHUDENcxNw6sf:qyz0JWXixyCQDPXWE1scqyENIef

Score

10^/10

redline baran dusa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dusa

C2

83.97.73.127:19045

Attributes

auth_value
ee896466545fedf9de5406175fb82de5

Extracted

Family

redline

Botnet

baran

C2

83.97.73.127:19045

Attributes

auth_value
f01529725b773000e2f32e18c70d0d26

Targets

- Target
  
  2f6b3652755a543ea210f569239332ef8d7d5b497d1def67c498ed8e18efdf18
- Size
  
  785KB
- MD5
  
  eaa783470f8a042d80746403a55f925b
- SHA1
  
  e4a5773cc1a4e4e805a683ce9a9f115ea578a04e
- SHA256
  
  2f6b3652755a543ea210f569239332ef8d7d5b497d1def67c498ed8e18efdf18
- SHA512
  
  393c97ac5c226cb4b4f928a35a8a69ab2f453e5675428d951c85288852bcbfb90fa1b49393c4fbf42c58724ac3f31cd5c0c773fa15e28e407aec45f554581f42
- SSDEEP
  
  12288:BMr/y90CK7J8ZxQyOX4fKyWzE3taXQ0RA5hXM4gEagteJgFVEHUDENcxNw6sf:qyz0JWXixyCQDPXWE1scqyENIef
Score

10^/10

redline baran dusa discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinebarandusadiscoveryevasioninfostealerpersistencespywarestealertrojan