redline | 2a551466afe3b8ee2c53c1c55edee43ed789ce59c296b90a9db6682b16971758 | Triage

Submit
Reports

Overview

overview

Static

static

3

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

file.exe
Size

1.9MB
Sample

231005-yhjexseh21
MD5

4f2d4b2e1de4a5b2bf4570bc4fdb5d99
SHA1

80f993d5483c75e654db701b846a18b19384d2c4
SHA256

2a551466afe3b8ee2c53c1c55edee43ed789ce59c296b90a9db6682b16971758
SHA512

c90256f474d5615b3f9fde7c87b8c97fe31ad8282f862e6ffc18c3b0dadc85747b4f37dd7a60ca14f6d24a14c271985e83688b7cfd955739ec733e5b9c22abd4
SSDEEP

12288:ZrhFxXfu3LO7VzpavNcfu+wGHd3f+QcFKeEHokyu5ag9X6a9DhvhN6TsBeMrvZtw:nfu3LaVzpavNcbtd31UW6a9Dhvh2WvV

Score

10^/10

redline @black_santa21 evasion infostealer spyware themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230831-en

redline @black_santa21 evasion infostealer spyware themida trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230915-en

redline @black_santa21 infostealer spyware

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@Black_Santa21

C2

94.142.138.4:80

Targets

- Target
  
  file.exe
- Size
  
  1.9MB
- MD5
  
  4f2d4b2e1de4a5b2bf4570bc4fdb5d99
- SHA1
  
  80f993d5483c75e654db701b846a18b19384d2c4
- SHA256
  
  2a551466afe3b8ee2c53c1c55edee43ed789ce59c296b90a9db6682b16971758
- SHA512
  
  c90256f474d5615b3f9fde7c87b8c97fe31ad8282f862e6ffc18c3b0dadc85747b4f37dd7a60ca14f6d24a14c271985e83688b7cfd955739ec733e5b9c22abd4
- SSDEEP
  
  12288:ZrhFxXfu3LO7VzpavNcfu+wGHd3f+QcFKeEHokyu5ag9X6a9DhvhN6TsBeMrvZtw:nfu3LaVzpavNcbtd31UW6a9Dhvh2WvV
Score

10^/10

redline @black_santa21 evasion infostealer spyware themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redline@black_santa21evasioninfostealerspywarethemidatrojan

behavioral2

redline@black_santa21infostealerspyware

© 2018-2025

Terms | Privacy