redline | 8deda3f9f857a91d1d9b3f420a3d9102a091849696a8f34b91e9413fc954a82f | Triage

Sharing

Copy URL Twitter E-mail

General

Target

737307862171267fd72a88c78c79ba14.exe
Size

382KB
Sample

230806-h3slbsgc78
MD5

737307862171267fd72a88c78c79ba14
SHA1

9576e06d485497f9aacb25fc6820281e50b82350
SHA256

8deda3f9f857a91d1d9b3f420a3d9102a091849696a8f34b91e9413fc954a82f
SHA512

12e9b8d7fa55d2c478988ce4cf5d9bd1ed91a36f2f76938e7edad8b540a1c3dab284b27baf68dec4c898db844d6dfc11132ec44c8c09efc8b5f0869b988fce69
SSDEEP

6144:tFwR799OIQPd+iXhq+RaoIPqg3oHBcw3v9IliGS16dSg:tFO7DOIQPd+iXhq+RPR9IY

Score

10^/10

redline evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

C2

5.42.65.101:40676

Attributes

auth_value
f6a00275f5a6ff201d2cc7f078cd5988

Targets

- Target
  
  737307862171267fd72a88c78c79ba14.exe
- Size
  
  382KB
- MD5
  
  737307862171267fd72a88c78c79ba14
- SHA1
  
  9576e06d485497f9aacb25fc6820281e50b82350
- SHA256
  
  8deda3f9f857a91d1d9b3f420a3d9102a091849696a8f34b91e9413fc954a82f
- SHA512
  
  12e9b8d7fa55d2c478988ce4cf5d9bd1ed91a36f2f76938e7edad8b540a1c3dab284b27baf68dec4c898db844d6dfc11132ec44c8c09efc8b5f0869b988fce69
- SSDEEP
  
  6144:tFwR799OIQPd+iXhq+RaoIPqg3oHBcw3v9IliGS16dSg:tFO7DOIQPd+iXhq+RPR9IY
Score

10^/10

redline evasion infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

redlineevasioninfostealerspywarestealer