redline

Sharing

Copy URL

Twitter E-mail

General

Target

Setup.rar
Size

206KB
Sample

231119-dfbxvage95
MD5

d6415f417cbe9041b6efbb14e2c4537a
SHA1

a6b9d553124c438483680dd08b206534d8c94083
SHA256

3bb135949a8fd9d074d8e503909f7dfd5295f96aa6f7145a3c3aa02b15000249
SHA512

b899b4776798cbd83c89f9e30cf30c4872b114c7fce842827a0b99fdb66da1e71e3a3b14035f91620f0200d5d531cf61cfddc5da5c18c2176842a472e738f312
SSDEEP

6144:6YNMvF1jdKC1e9IzoMigxkQWMGB27lfQbdZwK:AKNIkdP7MkOlfQbMK

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@svberves4

45.15.156.167:80

Targets

- Target
  
  Setup.exe
- Size
  
  275KB
- MD5
  
  914caeec4642d8becc8edfbdc9020ce9
- SHA1
  
  d29cf26f88326b12769babcc835fca89631aeb53
- SHA256
  
  70d4cfde8899ce4beee159983e7d7d6ce2c08aa2ba4adc98ee47ac8743878e04
- SHA512
  
  5a0250c762503180a2b7f06016b77bc52ec7940b740d8a22284bc914edb3f4261c75ab0e71c39f5b70ae70e9676bec6bb292d062f84cc5a4f91bb40915dea4da
- SSDEEP
  
  3072:OCmjHS8yuBzlAjeK8SDSTRIeN10clwfC21Rzc7yFWQ3xGrcnSIZYR9cz24lK1:OnxsjeK8Pb1Nlwf51RlUrgm9cFK1
Score

10^/10

redline @svberves4 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  data/cokl.dll
- Size
  
  293.4MB
- MD5
  
  99163c0d836ab3ace9001c1feb8ae4dc
- SHA1
  
  a60f9d9defd233de381fa2010ca2ed5b8688e043
- SHA256
  
  564980de5c436300d57e22df5a760a5411e8054c7da1b95ba888af659b7229dc
- SHA512
  
  d68aab24374576e8e0870820f77331dfac98f90c5f32c20df51071c438be7690315f4d10f7b3a3039d2e10690e012e81f262a81b875d9e0fbc3d83b3592c226a
- SSDEEP
  
  12:cRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR2:n
Score

1^/10
behavioral3 behavioral4
- Target
  
  data/jre.dll
- Size
  
  293.4MB
- MD5
  
  99163c0d836ab3ace9001c1feb8ae4dc
- SHA1
  
  a60f9d9defd233de381fa2010ca2ed5b8688e043
- SHA256
  
  564980de5c436300d57e22df5a760a5411e8054c7da1b95ba888af659b7229dc
- SHA512
  
  d68aab24374576e8e0870820f77331dfac98f90c5f32c20df51071c438be7690315f4d10f7b3a3039d2e10690e012e81f262a81b875d9e0fbc3d83b3592c226a
- SSDEEP
  
  12:cRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR2:n
Score

1^/10
behavioral5 behavioral6
- Target
  
  data/wers.dll
- Size
  
  123.9MB
- MD5
  
  9b2e2a36fe94f9b33c1e787b949ec402
- SHA1
  
  1acbc06ed85a340ccaf91520f378d652ff4e5796
- SHA256
  
  98d04d874c35b6ec8c6df774ec1d672b3b5e29fc264f42abbb1cb47a1143cab3
- SHA512
  
  6555f9b256c9393b9fdd9fb99cfcbbcb057404d1f754f93bc2de236f3277fea9253b526ad8e97047738776df6a255dda8071206bf811986bda0648ba35b696bb
- SSDEEP
  
  12:cRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRW:X
Score

1^/10
behavioral7 behavioral8
- Target
  
  dxsupport_episodic.dll
- Size
  
  10.3MB
- MD5
  
  26314302a85c3190f0c059aa386c5bbf
- SHA1
  
  3c0bdef6fb521ff4d1647a807489c271c86e4b93
- SHA256
  
  e897efb99efb9987bfec5dceafab6b8a88a1ed78735925f6a8b72366691af865
- SHA512
  
  60f4ec429abaf386e3892ad45c51d0e530a48a709991c290d00309ac9b34d93f6196c8a4b67fa46c3851ccfaa4c2c18900fa85585edb59d14cef9ccf0b5d42c2
- SSDEEP
  
  12:EZRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRQ:EQ
Score

1^/10
behavioral10 behavioral9
- Target
  
  inform.dll
- Size
  
  6.7MB
- MD5
  
  b2a2ac5c8d7ab1e64f92049ac6b620b5
- SHA1
  
  e18793cc01c8206bb3095b0cc93d41a6e5239253
- SHA256
  
  d5e180bd44b78907fd57c04b4a8185dba0892ec1fc3702202a06333067a92a46
- SHA512
  
  2ed6c5f52235f857a379be03343fd617d510ffbb9772d5c51219fd020a296e66234d6966e1e579fe07a7f49c9182b83e65c866ca96bb3f1332532453a346d978
- SSDEEP
  
  12:cRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRm:3
Score

1^/10
behavioral11 behavioral12
- Target
  
  wers.dll
- Size
  
  293.4MB
- MD5
  
  99163c0d836ab3ace9001c1feb8ae4dc
- SHA1
  
  a60f9d9defd233de381fa2010ca2ed5b8688e043
- SHA256
  
  564980de5c436300d57e22df5a760a5411e8054c7da1b95ba888af659b7229dc
- SHA512
  
  d68aab24374576e8e0870820f77331dfac98f90c5f32c20df51071c438be7690315f4d10f7b3a3039d2e10690e012e81f262a81b875d9e0fbc3d83b3592c226a
- SSDEEP
  
  12:cRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR2:n
Score

1^/10
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14