redline | 976ce1b513553b55546b110d245377a7c5e661de02b20c9a3c3c2d65c0a7dd52 | Triage

Submit
Reports

Overview

overview

Static

static

1

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

824KB
Sample

230824-vy912afg8w
MD5

e978406a3f33ac72c4b8f172eefa22f8
SHA1

3eccf927a1e1c5105d23fbb8ec9ba4012d95b19f
SHA256

976ce1b513553b55546b110d245377a7c5e661de02b20c9a3c3c2d65c0a7dd52
SHA512

2e9aa4ad8f8f07f9ea41b9164c7d34497fe42d55ef6394a93b62d0bfc7f9d2e2917ffac6da5a18c02a4c3b6755246f731fae7b2f408e30e8d4ca3c3107fff7b8
SSDEEP

24576:G23OjK5U1a2vjevHHunpE5GAfrMb9pOGzmnc7:Xoa2vjevHHuKJrMyc7

Score

10^/10

redline logsdiller cloud (telegram: @logsdillabot)infostealer persistence spyware stealer themida

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230824-en

redline logsdiller cloud (telegram: @logsdillabot)infostealer spyware stealer themida

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230703-en

redline logsdiller cloud (telegram: @logsdillabot)infostealer persistence spyware stealer themida

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

149.202.0.242:31728

Attributes

auth_value
c2955ed3813a798683a185a82e949f88

Targets

- Target
  
  file.exe
- Size
  
  824KB
- MD5
  
  e978406a3f33ac72c4b8f172eefa22f8
- SHA1
  
  3eccf927a1e1c5105d23fbb8ec9ba4012d95b19f
- SHA256
  
  976ce1b513553b55546b110d245377a7c5e661de02b20c9a3c3c2d65c0a7dd52
- SHA512
  
  2e9aa4ad8f8f07f9ea41b9164c7d34497fe42d55ef6394a93b62d0bfc7f9d2e2917ffac6da5a18c02a4c3b6755246f731fae7b2f408e30e8d4ca3c3107fff7b8
- SSDEEP
  
  24576:G23OjK5U1a2vjevHHunpE5GAfrMb9pOGzmnc7:Xoa2vjevHHuKJrMyc7
Score

10^/10

redline logsdiller cloud (telegram: @logsdillabot)infostealer spyware stealer themida persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlinelogsdiller cloud (telegram: @logsdillabot)infostealerspywarestealerthemida

behavioral2

redlinelogsdiller cloud (telegram: @logsdillabot)infostealerpersistencespywarestealerthemida

© 2018-2025

Terms | Privacy