redline | 9aee09bfd2877ea6d0fe1e2ab20afba70413f9e4403009bc848e6cff7aba62be | Triage

Sharing

General

Target

9aee09bfd2877ea6d0fe1e2ab20afba70413f9e4403009bc848e6cff7aba62be
Size

947KB
Sample

230821-ll3lracb23
MD5

0fe0029514ce00d3fa982efeebc9e8f6
SHA1

db1ded8ea4c2d225bbf0573be840e9d2bad26382
SHA256

9aee09bfd2877ea6d0fe1e2ab20afba70413f9e4403009bc848e6cff7aba62be
SHA512

9611a29d68231967740408b4c65b879eaa7b3aea97cd190508272e9a68311bf9ab28457627d36c57c267cac7b73271d3d0cc6e73e889b67da889d4686802ad83
SSDEEP

24576:qywU0U7S/ttMOMBzPiICqhPX8lBLdUakiXmxdM0xPmiyJu:xF0U7S/2PDfKbJZkiX0PPmR

Score

10^/10

redline chang evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

chang

C2

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Targets

- Target
  
  9aee09bfd2877ea6d0fe1e2ab20afba70413f9e4403009bc848e6cff7aba62be
- Size
  
  947KB
- MD5
  
  0fe0029514ce00d3fa982efeebc9e8f6
- SHA1
  
  db1ded8ea4c2d225bbf0573be840e9d2bad26382
- SHA256
  
  9aee09bfd2877ea6d0fe1e2ab20afba70413f9e4403009bc848e6cff7aba62be
- SHA512
  
  9611a29d68231967740408b4c65b879eaa7b3aea97cd190508272e9a68311bf9ab28457627d36c57c267cac7b73271d3d0cc6e73e889b67da889d4686802ad83
- SSDEEP
  
  24576:qywU0U7S/ttMOMBzPiICqhPX8lBLdUakiXmxdM0xPmiyJu:xF0U7S/2PDfKbJZkiX0PPmR
Score

10^/10

redline chang evasion infostealer persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinechangevasioninfostealerpersistencespywarestealertrojan