redline | 5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48 | Triage

Sharing

General

Target

06417899.exe
Size

720KB
Sample

230605-r65jqshb65
MD5

89541d318cbcbd02be55b6cf1413e952
SHA1

993b6b723732f26e83475336824ad4a0df0651e0
SHA256

5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48
SHA512

ad9dfbaf1b001f62b2af626e63937421d914aab2a754c1535fc73f63522b2296973ec9cdd0a713a7289333a66dced8765f3bb43103b694d3a43c8b1e23245125
SSDEEP

12288:9MrLy90pnKSGK56I3MbmB4mLCEqh5jgzaGl097e3/HXbQ3QiEqFbMRi:yywnEgCZUcjgzX3Ps3bEIbSi

Score

10^/10

redline diza maxi metro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19048

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Targets

- Target
  
  06417899.exe
- Size
  
  720KB
- MD5
  
  89541d318cbcbd02be55b6cf1413e952
- SHA1
  
  993b6b723732f26e83475336824ad4a0df0651e0
- SHA256
  
  5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48
- SHA512
  
  ad9dfbaf1b001f62b2af626e63937421d914aab2a754c1535fc73f63522b2296973ec9cdd0a713a7289333a66dced8765f3bb43103b694d3a43c8b1e23245125
- SSDEEP
  
  12288:9MrLy90pnKSGK56I3MbmB4mLCEqh5jgzaGl097e3/HXbQ3QiEqFbMRi:yywnEgCZUcjgzX3Ps3bEIbSi
Score

10^/10

redline maxi evasion infostealer persistence trojan diza metro
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinemaxievasioninfostealerpersistencetrojan

behavioral2

redlinedizamaximetroevasioninfostealerpersistencetrojan