redline | cd01ba51913ca7f262c54321d25e3b75480ae8e585062d2c6ec1d5d2ed75e1b1 | Triage

Sharing

General

Target

85a0e52a8de1950f464b9459304643bb.bin
Size

750KB
Sample

230605-nwdfqagh6y
MD5

b82a08e960b81a93a67e4f470936b091
SHA1

90f2093cbed904a85e40cc331e831798e19c49bd
SHA256

cd01ba51913ca7f262c54321d25e3b75480ae8e585062d2c6ec1d5d2ed75e1b1
SHA512

37f24b369bfdf90f59772ba669f815eb5c60cc28a8e173481090e8f9e8424f8fbd83ee91853f5e8d889d2fda9defe6f214f7ac640fd7d67935ec634c82c529a1
SSDEEP

12288:H38tqosukbokIez4XgKuKurm4Y2tB0SkOp8W97h9GSckbFo/JQXtHhq11BhO:H3Cbuy4F/Y2tWsmwGbkbO/qO11BhO

Score

10^/10

redline maxi metro discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19046

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

- Target
  
  e241edee7c22ef5362efffbf3c295ec9edae6b5baff182fff64ae0160b940050.exe
- Size
  
  794KB
- MD5
  
  85a0e52a8de1950f464b9459304643bb
- SHA1
  
  003b2ee898ffa0da6ec290b7468c7d43be2305f3
- SHA256
  
  e241edee7c22ef5362efffbf3c295ec9edae6b5baff182fff64ae0160b940050
- SHA512
  
  6cdef73eeb3ef5093df33a225ef9b520a41dd457a50f44eeffe2ae2e2772f0879d4cb10dc11966127be7465d050429e5cb8003c831a1cfa2acc7bfe687b5cd79
- SSDEEP
  
  24576:TyUgzCpvBwzYA0yuWVg+a2eWSmzKI1/D:mBmp5wzVxaaSmR1
Score

10^/10

redline maxi metro discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinemaximetrodiscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

redlinemaximetrodiscoveryevasioninfostealerpersistencespywarestealertrojan