redline | fcdf7b95dcfc0a6a29fb1487268bc8dc583b11ad1c86335fb9bf3b4f77d96648 | Triage

Sharing

General

Target

fcdf7b95dcfc0a6a29fb1487268bc8dc583b11ad1c86335fb9bf3b4f77d96648
Size

736KB
Sample

230605-ts3jbshe93
MD5

4f2f1e7ed4a33dcedfb92e2055317999
SHA1

28794e993d519421316c66862585f9f1e756aa9d
SHA256

fcdf7b95dcfc0a6a29fb1487268bc8dc583b11ad1c86335fb9bf3b4f77d96648
SHA512

2f4f2924e3e042daf8ca7a3675046992b2b652ab1b73fc44798d6390325f706d1a424739d0e46b02a609572111a772b0e02b3a66367e0e98c776b6b96246bc19
SSDEEP

12288:rMrSy90POy0N/BOrIRsMLTgtxTPm/7RGAOQeWaBzMvF0UnEjhKe1+cVgZ:VyoCFBOPG0XTOzRJOfds0UEjYe1VW

Score

10^/10

redline maxi metro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19048

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

- Target
  
  fcdf7b95dcfc0a6a29fb1487268bc8dc583b11ad1c86335fb9bf3b4f77d96648
- Size
  
  736KB
- MD5
  
  4f2f1e7ed4a33dcedfb92e2055317999
- SHA1
  
  28794e993d519421316c66862585f9f1e756aa9d
- SHA256
  
  fcdf7b95dcfc0a6a29fb1487268bc8dc583b11ad1c86335fb9bf3b4f77d96648
- SHA512
  
  2f4f2924e3e042daf8ca7a3675046992b2b652ab1b73fc44798d6390325f706d1a424739d0e46b02a609572111a772b0e02b3a66367e0e98c776b6b96246bc19
- SSDEEP
  
  12288:rMrSy90POy0N/BOrIRsMLTgtxTPm/7RGAOQeWaBzMvF0UnEjhKe1+cVgZ:VyoCFBOPG0XTOzRJOfds0UEjYe1VW
Score

10^/10

redline maxi metro evasion infostealer persistence trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinemaximetroevasioninfostealerpersistencetrojan