redline | 695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6 | Triage

Submit
Reports

Overview

overview

Static

static

3

SlackSetup.exe

windows7-x64

SlackSetup.exe

windows10-2004-x64

Resubmissions

15-06-2023 13:48

230615-q4kk4she67 10

11-06-2023 18:58

230611-xmzr2aad3z 10

Sharing

General

Target

Slak.zip
Size

182.2MB
Sample

230615-q4kk4she67
MD5

cb4c7f6de37cc4239b8aa2771601cd8a
SHA1

e0760bff195b77961875e6ab06ddaef1942e6014
SHA256

695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6
SHA512

f9d74fdfe31a5f6923be8c4f92b5eaf3d6365857e7c05cc2db4d84cde082589df638d164690cbd53b67e959d204f8393a0fc9fe4069e4b027cfb2c419a322ec1
SSDEEP

3145728:MxVSPzVRujbjsS85S8f9MzmvI6MK8V/cQi5LpBnZnUH9BdzspBP87m7:OVS78jyMz5KU/c5LL2aP87m7

Score

10^/10

redline 2 discovery infostealer infostealer_generic persistence spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SlackSetup.exe

Resource

win7-20230220-en

redline 2 discovery infostealer infostealer_generic spyware

windows7-x64

20 signatures

600 seconds

Behavioral task

behavioral2

Sample

SlackSetup.exe

Resource

win10v2004-20230220-en

redline 2 discovery infostealer infostealer_generic persistence spyware

windows10-2004-x64

25 signatures

600 seconds

Malware Config

Extracted

Family

redline

Botnet

2

C2

missunno.com:80

Attributes

auth_value
a2810548b2740462ea1c66aa3bc71f08

Targets

- Target
  
  SlackSetup.exe
- Size
  
  364KB
- MD5
  
  a371421bfe2b541c078fc43b008a4e27
- SHA1
  
  f74b4931c61a54ea12a10a5b6b48c8bb4dd4706b
- SHA256
  
  b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca
- SHA512
  
  653c62cc43ec2cda143cdce4ee633f6482a780cb83b36dafc9625f3406756909f5d7250b2d6610b57858b3154e7b461fddded2bc20436865d3e59ca88d96b5e8
- SSDEEP
  
  6144:tpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqlGwrZPHifJWP7w:tp8KLBzQ7Lcf3SiQs2FTTql9unNrkvfy
Score

10^/10

redline 2 discovery infostealer infostealer_generic spyware persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Find unpacked information stealer based on possible SQL query to retrieve broswer data
  Detects infostealer.
  infostealer_generic
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redline2discoveryinfostealerinfostealer_genericspyware

behavioral2

redline2discoveryinfostealerinfostealer_genericpersistencespyware

© 2018-2024

Terms | Privacy