redline | f14b33944ff630392e0540faf2f6ca73efcf2a1f94133760e669563579d86139 | Triage

Submit
Reports

Overview

overview

Static

static

1

Classic Ba...e.rbxl

windows10-2004-x64

Sharing

General

Target

Classic Baseplate.rbxl
Size

117KB
Sample

230609-w9zvwadh2y
MD5

7fd101811b433f81f37ec1c95c541c90
SHA1

3c99026b3a52052a6bd24f66d1f6a717904df441
SHA256

f14b33944ff630392e0540faf2f6ca73efcf2a1f94133760e669563579d86139
SHA512

09b3fab8ddfebcd0ec6573eb5d38121c1e5ec442b7f0f766f6f24520ac951805bde6d69a8752d5422bf34924db4794b7422093dc2173d50e3bc138f4ce474d9d
SSDEEP

1536:qZ1bFQv6EHZSMyAFBvwHoNy3h471rhq6MSa1SNWvhackS:qs6+EMyALjMR471rlMSZNWv81S

Score

10^/10

redline cryptx discovery infostealer persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

Classic Baseplate.rbxl

Resource

win10v2004-20230221-en

redline cryptx discovery infostealer persistence spyware

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

cryptx

C2

94.142.138.105:15111

Attributes

auth_value
a45302b7daf4f87798af144567e5d0ff

Targets

- Target
  
  Classic Baseplate.rbxl
- Size
  
  117KB
- MD5
  
  7fd101811b433f81f37ec1c95c541c90
- SHA1
  
  3c99026b3a52052a6bd24f66d1f6a717904df441
- SHA256
  
  f14b33944ff630392e0540faf2f6ca73efcf2a1f94133760e669563579d86139
- SHA512
  
  09b3fab8ddfebcd0ec6573eb5d38121c1e5ec442b7f0f766f6f24520ac951805bde6d69a8752d5422bf34924db4794b7422093dc2173d50e3bc138f4ce474d9d
- SSDEEP
  
  1536:qZ1bFQv6EHZSMyAFBvwHoNy3h471rhq6MSa1SNWvhackS:qs6+EMyALjMR471rlMSZNWv81S
Score

10^/10

redline cryptx discovery infostealer persistence spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Security Software Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinecryptxdiscoveryinfostealerpersistencespyware

© 2018-2024

Terms | Privacy