redline | 4de9aaf9e17562aeb7b8766c6609c8840ef2f16670f9870a20e94072d20573b0 | Triage

Sharing

General

Target

4de9aaf9e17562aeb7b8766c6609c8840ef2f16670f9870a20e94072d20573b0
Size

729KB
Sample

230605-s9lrgahd76
MD5

cd10fefea5990802898a69d7452967d6
SHA1

1ec8e684f08e4716d4a44e511b89e946553ba3f1
SHA256

4de9aaf9e17562aeb7b8766c6609c8840ef2f16670f9870a20e94072d20573b0
SHA512

35ab78660f862650b8044d193d3392e1a98aecd3debb2bedf33af46c696725cbd1603d59f39e52d6b7feefb0115cf94385b4d13b1b82695f270b1dc99bae55e3
SSDEEP

12288:nMr6y90DLLt46TJo334d87JEt8+NLtMr0hD5AeliaHG2iYUAA+o4MLJnGCA:ZyxWpelr0RCYHFiYUUuBGCA

Score

10^/10

redline maxi metro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19048

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

- Target
  
  4de9aaf9e17562aeb7b8766c6609c8840ef2f16670f9870a20e94072d20573b0
- Size
  
  729KB
- MD5
  
  cd10fefea5990802898a69d7452967d6
- SHA1
  
  1ec8e684f08e4716d4a44e511b89e946553ba3f1
- SHA256
  
  4de9aaf9e17562aeb7b8766c6609c8840ef2f16670f9870a20e94072d20573b0
- SHA512
  
  35ab78660f862650b8044d193d3392e1a98aecd3debb2bedf33af46c696725cbd1603d59f39e52d6b7feefb0115cf94385b4d13b1b82695f270b1dc99bae55e3
- SSDEEP
  
  12288:nMr6y90DLLt46TJo334d87JEt8+NLtMr0hD5AeliaHG2iYUAA+o4MLJnGCA:ZyxWpelr0RCYHFiYUUuBGCA
Score

10^/10

redline maxi metro evasion infostealer persistence trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinemaximetroevasioninfostealerpersistencetrojan