General
-
Target
download
-
Size
2KB
-
Sample
240318-ej4mpsfg67
-
MD5
4e79e21cb97b8518a239e31cf0d11fa3
-
SHA1
2dff54cdc32d26278d9fe2919ed8bf3566092749
-
SHA256
b3ab92edbf5f695b8de6a6dc7215b81355071d5919e81e482701e102ca904374
-
SHA512
94d6729a958c7967ca059a9d6b31d1522e372fc623b4aab4114429b733c0686af306a7166bf02681f8be9ec4b01ccf5d5d17d18e5ca0f087d4fc62889bb4830d
Static task
static1
Behavioral task
behavioral1
Sample
download.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
download.html
Resource
win10v2004-20240226-en
Malware Config
Extracted
redline
1
185.125.50.49:7439
Targets
-
-
Target
download
-
Size
2KB
-
MD5
4e79e21cb97b8518a239e31cf0d11fa3
-
SHA1
2dff54cdc32d26278d9fe2919ed8bf3566092749
-
SHA256
b3ab92edbf5f695b8de6a6dc7215b81355071d5919e81e482701e102ca904374
-
SHA512
94d6729a958c7967ca059a9d6b31d1522e372fc623b4aab4114429b733c0686af306a7166bf02681f8be9ec4b01ccf5d5d17d18e5ca0f087d4fc62889bb4830d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2