redline | 3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705 | Triage

Sharing

General

Target

3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705
Size

736KB
Sample

230606-dtpe4abh27
MD5

4636d9e8bcc1a6d371204c04cc95ae18
SHA1

7a6e6ca9b8983baf372a07e9de40454d91445101
SHA256

3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705
SHA512

525d992de081c45b2e6ac26968ac3967615cb74dce91972a38f88c2d3673e9ecb57ce4dbd0887fa99e02b7740589ab7fce48725136cfc9de16f9567d7e7ab429
SSDEEP

12288:TMrOy904y0hFYF6cnF27059C4Iy0EVqrTQv5s0qBNFk8O/T9/lV1T0LJH/hYmdX:By2OYF6cns6tVST85LqBy/ThlPTcpd9

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Targets

- Target
  
  3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705
- Size
  
  736KB
- MD5
  
  4636d9e8bcc1a6d371204c04cc95ae18
- SHA1
  
  7a6e6ca9b8983baf372a07e9de40454d91445101
- SHA256
  
  3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705
- SHA512
  
  525d992de081c45b2e6ac26968ac3967615cb74dce91972a38f88c2d3673e9ecb57ce4dbd0887fa99e02b7740589ab7fce48725136cfc9de16f9567d7e7ab429
- SSDEEP
  
  12288:TMrOy904y0hFYF6cnF27059C4Iy0EVqrTQv5s0qBNFk8O/T9/lV1T0LJH/hYmdX:By2OYF6cns6tVST85LqBy/ThlPTcpd9
Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan