redline

Sharing

Copy URL

Twitter E-mail

General

Target

AuroraV2.exe
Size

770KB
Sample

240319-e3atqshd54
MD5

4354532285d1fee0e9e1f757e2fefd03
SHA1

ed4661c574ac9b67c6c87f0b672af3dd5439f004
SHA256

a76d0ca31629666d6fde15d21f0d225c1580d875ab7bb6d6a608f38e40190e8b
SHA512

66e2896f320db3f96319f5063dd7616e811cc4114b994a4582e990f8941408e5d281d5f51f629012a818081de5acf885a9cb40047040db98a2cacd7de777cc48
SSDEEP

24576:6bRO13jhaFVNLwBzlSaOaLp6RB3qrbRYItaXrc:w6CDLyz+MEBqvSIUc

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

45.15.156.142:33597

Targets

- Target
  
  AuroraV2.exe
- Size
  
  770KB
- MD5
  
  4354532285d1fee0e9e1f757e2fefd03
- SHA1
  
  ed4661c574ac9b67c6c87f0b672af3dd5439f004
- SHA256
  
  a76d0ca31629666d6fde15d21f0d225c1580d875ab7bb6d6a608f38e40190e8b
- SHA512
  
  66e2896f320db3f96319f5063dd7616e811cc4114b994a4582e990f8941408e5d281d5f51f629012a818081de5acf885a9cb40047040db98a2cacd7de777cc48
- SSDEEP
  
  24576:6bRO13jhaFVNLwBzlSaOaLp6RB3qrbRYItaXrc:w6CDLyz+MEBqvSIUc
Score

10^/10

redline @dxrkl0rd discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1
- Target
  
  $TEMP/Adapters
- Size
  
  179KB
- MD5
  
  b05211f89c3e471627978ceaadbece85
- SHA1
  
  3cb7685dc8dd9104e597da099412e7f96569c40e
- SHA256
  
  bcdf18a812ac1388024fc636d2556a408460ff73b5e17d8af94f56ab43e20ec7
- SHA512
  
  c3ea3ab452b403f03eb53356f88b7408bc8a5a1e919d2dcb5415ec5f3eaaf64f55f33b2561fecc0d6fc959304c0f3b325b9a208988850c00f749b4ca0ade3750
- SSDEEP
  
  1536:KIB4848M0IB4848bij1f2D262MSxIB4848n9C7p6g0HXplF9V2iJ7IB4848XtXnT:0k1f2D262l8ch
Score

1^/10
behavioral2
- Target
  
  $TEMP/Appeals
- Size
  
  197KB
- MD5
  
  9848974aacb0b13c0c6532a5fed69662
- SHA1
  
  7bb229cea9fd8008e526a9d1a529f5104eb515c0
- SHA256
  
  e645141706a7f1220384053729b30c3e25164dda4d9d6a1b8714c87209b4f3d5
- SHA512
  
  e07480490f8d42888e0c8577687f204ff6b287ec184a02dfddf055ecf9f013f70e326eddfbdd616c2d960dbff62de9e21d6e642d64f77ea5ff5caaef68fa61c6
- SSDEEP
  
  6144:AVPlcBgtoTqnvAfcaG9b2M8JTDD/xcq21R1f:OlcqikvAfcN9b2MyZa31f
Score

1^/10
behavioral3
- Target
  
  $TEMP/Characterization
- Size
  
  12KB
- MD5
  
  6d42e125318abf40c3e01b55e50545f7
- SHA1
  
  827980b79228e6ceb741733aad46a9033b261049
- SHA256
  
  76db08aa2202ac2cb27af4246f6a00957d15b96c2b3cee95443fbd708a39e57b
- SHA512
  
  875fa1ce29c8c4b08a0838366c34e5f35684e8532600a68b6a8050f517ae499f473b931de7c3f08f1d0ed7924c814e860b8b3c2481bead54ad8daa59a4f069f9
- SSDEEP
  
  384:SC8WWz2dD3lhZjTTZy1Jqavk+U/vMZ2mc:S/z2dBhZfTZy1JqFOZ2F
Score

1^/10
behavioral4
- Target
  
  $TEMP/Construction
- Size
  
  35KB
- MD5
  
  629dcdb5e964a46336b660452b9ee0ac
- SHA1
  
  1dd73d8d84c6ef575756f5b0e095f86a24da73c6
- SHA256
  
  d02e10a10f3743f4994e43c33c0e7648fcfa076396d525935f62b88ca308845e
- SHA512
  
  341fbbd2d9400cea6e6f476107fe65c2f739d5d9d5e36e75cd1a212fe1db79ebc60fcdfd85219fe4c11ce09da1a8cf0605fa840bf8d2237459eb121384b8d15d
- SSDEEP
  
  768:3CVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLw7Vn8JMAnJyA:yVgCOa1ZBPaPQaEwo0B48A
Score

1^/10
behavioral5
- Target
  
  $TEMP/Designer
- Size
  
  279KB
- MD5
  
  e981cf4342c3cb2587880ffeacd43179
- SHA1
  
  ce15fa590a16d7ab918cb1e8074d1f49f6c64541
- SHA256
  
  12a7fc7dc3e1c2a1d44aa4b881fad1b83984ebdf96fb4f08f097117a535b11bf
- SHA512
  
  8cfdbc085721653144b544d8158f1c3e535429aef16a51c7be9e3672d359c0d7c9fe5f926e5c9b546cb32f1307f93ec67e0e8732c992e23aaa9dca90a2aa52ac
- SSDEEP
  
  3072:Sg/bZVUAg0FuPOKBNEBNUGXEyaAt7P+6b/xhgariwYLIYaWy4ZNo:h/wAOPOei7TdFW6fgarnYdhBZ2
Score

1^/10
behavioral6
- Target
  
  $TEMP/Elder
- Size
  
  155KB
- MD5
  
  f9f6a09d5817d513e984dd5d0cfc1d17
- SHA1
  
  5f968f4bf9c82b4104d40bd7d0d3229592f6561d
- SHA256
  
  4cf83f6e610eeb0ac7cbcd9c71e0bbda99cb465c1303a5e9ea6fcf59fc248ea6
- SHA512
  
  d5fc501a123e8c915ad510b7c6e79af185252065e53d6300c2ce7e9b63a74e2330a09296c333e6b56633c5182ca028f93feb4c8ba7211d75b9c80d48964b89f9
- SSDEEP
  
  3072:KixApVIa0/vidXqGjLPQ6ClAMfA4lelIJBSLPNL:KgA/12vk6AQzyMfA+e9
Score

1^/10
behavioral7
- Target
  
  $TEMP/Pets
- Size
  
  260KB
- MD5
  
  f6fb13732dc8c23095a35161fc8d2ecb
- SHA1
  
  e433eb58dfa69f3239988f6cec758d6f76ea12b8
- SHA256
  
  3973fbec123a1063743e3a2bd70c5cf0cdfabf20040673cad5060477cce2bd32
- SHA512
  
  84898b2794463bfcfc1edde01192370b8fb4613f3c66d93b9943688b7ef09da55d92168267fd40a572407f5c705b119204451dc4fd741af27b9c7166d2623431
- SSDEEP
  
  3072:1HaElpD2xbqN8DHjnxjpZUk0pCBXMwAMJnXUN/a7zrSrMQS7:JvD2xW+DH/ZRBXMwAGnWuzVp
Score

1^/10
behavioral8
- Target
  
  $TEMP/Strongly
- Size
  
  206KB
- MD5
  
  35f17b8bf9805bbe8b3befaf5244779b
- SHA1
  
  4cc81d66c0b6bb84d029cde9659dadd1152808ac
- SHA256
  
  2f35af3beabb1f0266efa6feb2903a117a14fb206c4c09fff96787bb313e7dd3
- SHA512
  
  2edf05aa46b9aef7e2aa77ae0a9385d09e8a18349549fc743bafee0f538227877dd47c17f90e7a558a9958a2f6083ace6b0a13f26006a2320968abe0825d2bfe
- SSDEEP
  
  3072:6CV26MqgQTc5F446iYNpK5SB7BJBzLZDKJtIs8di/37EM/j2xQ7:6i2VWTyFsJ8gNJBnGtINs7
Score

1^/10
behavioral9
- Target
  
  $TEMP/Yamaha
- Size
  
  229KB
- MD5
  
  8f2fbb0145076f576facc399174772f4
- SHA1
  
  1c4de51cf28843fb4ee97002ec126bd604836bc7
- SHA256
  
  5bbd83d4f4b38239cb22257c2d327afbf9aab99d97ab7045a71fa1083b61218f
- SHA512
  
  9eb7257d39914559ae729b5fada1519fb9e2003328ecb9f8b0b2c2075224bf141f122db2237b7b97a751dc76a5bc18d3447870be9d6b593062255592fdf350a5
- SSDEEP
  
  1536:Vf+i6iU0C9U9Ghxv7IB4848ZvbTeSrtK34FAMZvG0IB4848YDWj2HwHel7Yxski7:ciu934FjbVfxzhlmHfe9CDm
Score

1^/10
behavioral10

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10