redline

Sharing

Copy URL

Twitter E-mail

General

Target

Setup_new.zip
Size

23.2MB
Sample

230913-jfcf9sab7w
MD5

812bbb20cbbd35d1a1d11d48dd397464
SHA1

fbb8eb209eb58ead86b08fe7618391c5d42174d5
SHA256

e0fed2784ab6280f6f602be319b4d4d4884778e4bfd1e88e6948a751b8523f60
SHA512

4fafb7cc8ffb01554fa73f3e7e806840407483d4332987ab704c0ff39ac5bd549c36d05f3e058dba8f6944ba0e263f3134f2ddb39305dd76061844ce918e95b1
SSDEEP

393216:bRObfG1NW0qIUFFShssNNpOpjnq+mEH6I1bGjxoj7i0ew2udob0k27qmV4vWFlxf:bRiG1NW0qIUFFGssVSxaIBGj67VeCobm

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@kl1891

94.142.138.4:80

Attributes

auth_value
def9cdd582e9c7ef72b4a3cfb023c53e

Targets

- Target
  
  Setup_new/Setup.exe
- Size
  
  762.2MB
- MD5
  
  8b1b132b0c4d7190afa85bb67522bff5
- SHA1
  
  8d3640a5230bed9575ac81c1553c66a503a7772e
- SHA256
  
  2cf6b0c730f4a952f2de3f1159d63494c066015d82fb3d4fa976dcb1ba01f5d9
- SHA512
  
  167e161389a2d6b0be716f9ed34c2966b3c40f3221df06ff9221e823f936d2fb7806864e0ef466731e11dc9da332a11255849d15787eafb90bfed54164173b90
- SSDEEP
  
  3072:2E7eslBSyPJAhTD/xQtbVIIExhwn+8JMkVybrxu1HFUWEnhBMixAwuYNLx:cslBuhTDxQtqBxan+u+rxNBMixAPYN
Score

10^/10

redline @kl1891 discovery evasion infostealer spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Setup_new/libEGL.dll
- Size
  
  935KB
- MD5
  
  69b57cc7076f64e550cba1d21372dad2
- SHA1
  
  a3c69cf1801de74757a46bab7c7c75815f449828
- SHA256
  
  432e802e5bbc1afc66732fb9511aa1d431294e6c4999d7e4dfb4e65f2773f6ee
- SHA512
  
  6142982ed72b8c55d562f823b843739d427d799c85f91d7a4777020751719d18fbc9d0e3befd3f9ae7df1a0c1a361ef320e5df4bd862469061688c9894593221
- SSDEEP
  
  12288:OXdUddsHK2HmT3v/6tDpu6KsulmJOZ6yQUE54k5RxOTVR/Facyg7jQG17UkAT/DC:Znr3vGY8JMI550JFxthUhtkPK+fn
Score

1^/10
behavioral3 behavioral4
- Target
  
  Setup_new/libeay32.dll
- Size
  
  2.1MB
- MD5
  
  9c8b228d392411aeec50905c2d80cf5d
- SHA1
  
  54a8d6ec44a8e11a3e232ad63b006b5c1394d6b2
- SHA256
  
  2c125702a00050b7175befb29e58749c8b63e33d51e6093ac04175c303084a83
- SHA512
  
  b993b094174f5564ae4e0f3c333c61ad2d57857761c60273c0d0681845e457ffa7df8bcb61f0c8dcccd12ba702457c610f742879abd339780bc5de805ddc1f69
- SSDEEP
  
  49152:RGqv0LS1e33J+UMFMVDfC/QZG9WUQmCRD75AArD/0lTrWrTZ3BGTy:RGy0LS1oJ+UMFMVDfC/QZG9WUQxRD75l
Score

1^/10
behavioral5 behavioral6
- Target
  
  Setup_new/libgcc_s_dw2-1.dll
- Size
  
  117KB
- MD5
  
  043b39434829ce93637b1801d57b2082
- SHA1
  
  297b5f72104130e17d92789adbbcfab8fe700a82
- SHA256
  
  4d2e2d408d399d066b0aaef2047f7a33515c13c589832de0d9f1ba87a530c394
- SHA512
  
  eee912b21d31c54bf913d11028f1637a041809bbe4cd6a5ca28c664f72b397d67d03230ba652a06b86916aea7e7ff5999a5b26cc14c067ab1652ab82f565edcf
- SSDEEP
  
  1536:8dtiUW76b2IPdo20ERT/TAnckgPfwxsNSGcHy//Rs0l6eeyB0nN0x/W08mZ9DxRw:8G66yo2zT/TGgXsavs0MdmxRw
Score

3^/10
behavioral7 behavioral8
- Target
  
  Setup_new/libwinpthread-1.dll
- Size
  
  77KB
- MD5
  
  1f4411c1f66c9cdf96ca9d7f9caf52d9
- SHA1
  
  ea04be653df7335483c7c8f46367d75d4ad9224e
- SHA256
  
  b5fe4d6408ef2baabdd168f4c7250900606468e9aeb24c71e0c833d3d715ae65
- SHA512
  
  8b95d0533773c5424733862cf60ed0f0d2ed5c7016b602a71dc4ce4a90ef0946de605f46c94fb0f6c3135447f60a00d3476e8b91a61e079885aa764bc1407b8a
- SSDEEP
  
  1536:NCogndcxz8C7iYx3AUwTG36Djm2uYUjslAsvONDuJluLjIGxim3Yx:Nydcaix3v363K+GNDDLjIEim3Yx
Score

1^/10
behavioral10 behavioral9
- Target
  
  Setup_new/msvcp100.dll
- Size
  
  411KB
- MD5
  
  03e9314004f504a14a61c3d364b62f66
- SHA1
  
  0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d
- SHA256
  
  a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f
- SHA512
  
  2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d
- SSDEEP
  
  12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
Score

3^/10
behavioral11 behavioral12
- Target
  
  Setup_new/msvcp140.dll
- Size
  
  436KB
- MD5
  
  3e992e3412b8067cd215b52e6f906b1a
- SHA1
  
  4aaff9d969d558d355954131b88b1c250aed5d15
- SHA256
  
  c3838cb309a101ca41064358ac65010610064f12aa3d341ea15c4b95e8d525c6
- SHA512
  
  b2c92e710c65cfa2ca4a1fd7da9bfee521e450a63ac9070a8524c2f3abfb9ebf06b6567d650c7c69e2ec2066057b61ee4f1bf39ef6ff66e483c1b445883834f9
- SSDEEP
  
  12288:eGPa9C9VbL+3Omy5CvyOvzeOKQqhUgiW6QR7t5s03Ooc8dHkC2esGbWg:eGPa90Vbky5CvyUeOKW03Ooc8dHkC2eP
Score

3^/10
behavioral13 behavioral14
- Target
  
  Setup_new/msvcr100.dll
- Size
  
  755KB
- MD5
  
  0e37fbfa79d349d672456923ec5fbbe3
- SHA1
  
  4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
- SHA256
  
  8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
- SHA512
  
  2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
- SSDEEP
  
  12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
Score

3^/10
behavioral15 behavioral16
- Target
  
  Setup_new/opengl32sw.dll
- Size
  
  874KB
- MD5
  
  3db95d9910834474528c245fbbaa0e0e
- SHA1
  
  5fb0eac4e0296d5221c408decf2842aa1b335746
- SHA256
  
  6028ad980a9329c270e0bd0ecd8d65129650c72005b038ee96cfdf2fad8c53af
- SHA512
  
  3122f699afa28cf49d99e3c241f145b88f98942cc9a2ebcd6412b6907b5e723f4914f91d3c045abc6b48ab83244179611b73e60b49e7c73a87a2b8f4933cb1ff
- SSDEEP
  
  24576:a6r4lQp6oaYa8o0oKAdx22XkoZe/qbCW0E8GNwn/Xwi:aBWYoaYxRoRdx22Xk1IrkGNwn/Ai
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18