Overview

overview

10

Static

static

3

19b0fef28f...43.exe

windows10-2004-x64

10

3352e66593...91.exe

windows10-2004-x64

9

3dc73b4f6d...ce.exe

windows10-2004-x64

10

4f349af46b...9b.exe

windows10-2004-x64

10

5f46e467c0...d1.exe

windows10-2004-x64

10

8069cc601a...0b.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

8c9f0fa0be...66.exe

windows10-2004-x64

10

b7dd4fa2a0...d9.exe

windows7-x64

3

b7dd4fa2a0...d9.exe

windows10-2004-x64

10

c6da225fb6...fa.exe

windows10-2004-x64

10

cc7742c800...12.exe

windows10-2004-x64

10

d2c05517b0...e5.exe

windows10-2004-x64

10

d5755dadc9...b2.exe

windows10-2004-x64

10

dd86e508d3...d9.exe

windows10-2004-x64

7

df3f16beb4...20.exe

windows10-2004-x64

10

ee8298cd5d...3c.exe

windows10-2004-x64

10

f74cd80563...8e.exe

windows7-x64

3

f74cd80563...8e.exe

windows10-2004-x64

10

f94038b1f4...6e.exe

windows7-x64

3

f94038b1f4...6e.exe

windows10-2004-x64

10

Resubmissions

13-05-2024 07:54

240513-jrwpaagc79 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red2.zip

  • Size

    69.7MB

  • Sample

    240513-jrwpaagc79

  • MD5

    a0271858ea076cc1520f69cf44b86258

  • SHA1

    2e98cc622b73d9626d80e962c19dccbcc2a6748c

  • SHA256

    6cab82583e2de1c6b7032c23d1ece4dc79755cc3d61834b28d6d28934dad124a

  • SHA512

    ab3ddd222c42ced8962d4c700f8b75bc8b36ec6da1a416e358d70132fa2fec3aa08409d7c3a787a71adbad5e0fca73ea60185c6adc2526473154a43d743a67a7

  • SSDEEP

    1572864:v0RiJpxzTW0JnhhUa+zzhNQmqQwF+HwARUKMtwLksVSJF1f:cRiJLzTzJhSFzf2YUjV

Score
10/10
privateloaderredlineriseproxmrig51955525295345987420@fgkyleoffdebromixadiscoveryevasionexecutioninfostealerloaderminerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://sindi.am/origin/xmrig_6.19.2.exe
exe.dropper

http://sindi.am/reload/yokiro.exe

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

@fgkyleoff

C2

147.45.47.93:80

Targets

    • Target

      19b0fef28f9283208217c705c0a0948215b01ab6d8a13fc17ad98dd3bfad7f43

    • Size

      769KB

    • MD5

      8ef112c93e35f0a687de85b0196d9bc8

    • SHA1

      b7a7c4534825cf5d95e90120b9abcff34ccb2d08

    • SHA256

      19b0fef28f9283208217c705c0a0948215b01ab6d8a13fc17ad98dd3bfad7f43

    • SHA512

      ccfbd7c3ad8c190ad5a10a5be32cf8f5a5d4dd6b5c8ade3178d295cf55c11cdf3eda66491641ac39148cde87de3f2d194601688784f42776ca0fb7984af14ccf

    • SSDEEP

      24576:DyFfBGkdH2DB/1NZythbmeDOvycTRqtpBPb6R4x:WFp7Y/1NZShqePcT0bV

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      3352e66593f9d652c7f760070d266d43ca2ba74eca75114c78a92c09c1a1c391

    • Size

      3.1MB

    • MD5

      9aa2ad69aeccac3b49dfc5cecce2fdc6

    • SHA1

      e93044a2babc4d30b26432b6b935bacc701317e8

    • SHA256

      3352e66593f9d652c7f760070d266d43ca2ba74eca75114c78a92c09c1a1c391

    • SHA512

      2b679843b30feb1fa1b8c1a47368f54275ed2a46c0405f6be65c100601815b2fd95c66107a0c3b36e85e12236e02990db259b27e3dfd1fd40d6c56d0816c711d

    • SSDEEP

      49152:W1OtAz7vzNxv6p9OOEaWqLCL7EG2I5UQz7nIGoqSWQbVEEdCXT429FQf9:yO6fzj6OqL87EGl5UQz7nIG/QEEd3im

    Score
    9/10
    evasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

    • Target

      3dc73b4f6d23faab7a9c9989da9da63b5a19429e50f38b9dbe628e0e665538ce

    • Size

      316KB

    • MD5

      802e28be0e67c369681af9376222910a

    • SHA1

      19ee07bc3befb9e2af0a8e28130941b8ad16d2a3

    • SHA256

      3dc73b4f6d23faab7a9c9989da9da63b5a19429e50f38b9dbe628e0e665538ce

    • SHA512

      b6f01f052ca9109e3941d7d38fd68b0539943f3cc376c5772f784c1eb96f68f72e6f01d1015485bd20246c01229c6586180181c458980600250184894365d66d

    • SSDEEP

      6144:K5y+bnr+mp0yN90QEL6vZrMgXGma0+qSNF1li0HpmZMh:LMrKy90pmNRGfN5p1

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      4f349af46bc292e6b889f0832eb248516cc2963296d302c979f597894e4d5b9b

    • Size

      316KB

    • MD5

      2e084f8ae01bc2e11630d0f1a11f94eb

    • SHA1

      ffa6adf4d07b6e10d02b8f8ba796d7c463d6251c

    • SHA256

      4f349af46bc292e6b889f0832eb248516cc2963296d302c979f597894e4d5b9b

    • SHA512

      4ecc7654c973a9f16c5a119191db5dde189400979c956ab251f72ed9e943a9057d7252348dd362cc0d4ce214627f06c747eb002a66050a7b08b8a976fe030269

    • SSDEEP

      6144:Kgy+bnr+Bp0yN90QEJ6vZrMgXGma0+qSNF1liOHpfZ7M:EMr1y90rmNRGfNvp2

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      5f46e467c061df7fa78ebd885165c37162ef831c2d0911d7e5ad004914721fd1

    • Size

      488KB

    • MD5

      96b23348138f51e351fe980ef010820c

    • SHA1

      50437d1af3d73aabfd31772d20d62db91f48d1c9

    • SHA256

      5f46e467c061df7fa78ebd885165c37162ef831c2d0911d7e5ad004914721fd1

    • SHA512

      52671e982512ac5202467accb0348b2b8105f20d698ecaef2b08a2cc8270484090104e1161805c70cd63283cb99c40218e3e9a18a0889f3e4fd55c538dc3d454

    • SSDEEP

      12288:BMriy90s1eVIXf12MAFGCTh4+4QdoaLUbnA2l0M:fy9MyXfdA8Ge+4lXbAAT

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      8069cc601aa5c7d4e22869ae3d73aca18ae49df7fb1ab536a5bae9eebf49b50b

    • Size

      487KB

    • MD5

      994ec39705eac574191eace3a8a02c35

    • SHA1

      d03377cd7f2e5801f8a2189862c083c98c54e633

    • SHA256

      8069cc601aa5c7d4e22869ae3d73aca18ae49df7fb1ab536a5bae9eebf49b50b

    • SHA512

      e3767aee3cbe141e9c24913a9853cc739e83101899a458b4edaa0861b7e6388d3fd7211b2b04748f11619fb53fba2e14b4e15e6f6ef749a32ee84d9966b80902

    • SSDEEP

      12288:/Mruy90Tn5OX+f3hsdIXVgSClzKlOP5aJKT9yirznmhU:hycnIXMyIXSSuP5aJKT9J2hU

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62

    • Size

      1005KB

    • MD5

      80766f346a1033b1abfeeabc7180a880

    • SHA1

      2568f835441d53bc785a4ddf8537814826e3d064

    • SHA256

      86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62

    • SHA512

      029d53c19dd434b410eb61158e8a653c3d3725b50de9e5bb7dd766baed93a37574b3171509ee7e968d18158d89082029e74881630fb852c37b305053ec5c87aa

    • SSDEEP

      12288:VMrry90H6OndYa8eQHWFiUDhbkYuuDu6rtRHvb6sCIoxV+pY62N7198r3GJnWIi:KypOnDiU9Pyyhj6sUx+07cSkN

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      8c9f0fa0be3118f84dc4af8a50fa0b11a785e5014b63d362193e6a262a8fb066

    • Size

      316KB

    • MD5

      2f3f3933a88c5548f0f53de0c045744c

    • SHA1

      4a6a2e1e012452533c92a8c0106a13c22bc78195

    • SHA256

      8c9f0fa0be3118f84dc4af8a50fa0b11a785e5014b63d362193e6a262a8fb066

    • SHA512

      c82a6cfe58f8a8b67592c08bdf3f1b14f77ec97ef276e5611d6135b8b9892166ce39d27d3251cc4c154f62b9a639c25896569a637a35a255dc9d3e71cc2879b9

    • SSDEEP

      6144:Kdy+bnr+hp0yN90QEP6vZrMgXGma0+qSNF1lioHp+Z7H:rMrVy90FmNRGfNRpc

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      b7dd4fa2a0deaf6b70cea7aaf1292a2e835aef45edb5a190cc515d98cf60a8d9

    • Size

      293KB

    • MD5

      3503d07ffdcbf58c0991a126f62e2c5c

    • SHA1

      3ed929e6f39d6088a58f34f960a7c990b390675a

    • SHA256

      b7dd4fa2a0deaf6b70cea7aaf1292a2e835aef45edb5a190cc515d98cf60a8d9

    • SHA512

      12dd40424a7b70721f7a631220862126a12f5812f95e121eeff76b23b147020a98100cb152082dffb7a68cae5015c5392775264a754b3e6931099beb26c52157

    • SSDEEP

      6144:27wlKAtETWV0M582YRT/9pWIYjkSbGwRm/CN+wbsdSaaO0:iAtETWV7uXpRYjk4BRFNzwdAO0

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      c6da225fb62894a834b6867eb9be1ea8ccf1a903e8671866168dd071aca5dafa

    • Size

      488KB

    • MD5

      2f3fa90ecf8e9fe6e83983805b789349

    • SHA1

      e1de460aee88a9ac9c21f83eb407f4664a750948

    • SHA256

      c6da225fb62894a834b6867eb9be1ea8ccf1a903e8671866168dd071aca5dafa

    • SHA512

      885f801cbd569523c23f4b66c14c13762ea148f2d916942ebb51b9ec071889c1f76b5faaf0c3717c44d5a639c81ed4ec9132c7b4f5f32f7abff59eb173f7ee5c

    • SSDEEP

      12288:qMr4y90FSeqHWLG6wwVSzvTArGGjL7LaQv:ey6SeqHWLG6jSe3D

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      cc7742c8001c4a7afeeb3158d2ab1ec0ba7e424607202fda0368e3c083efc012

    • Size

      316KB

    • MD5

      94a02d62c4e080836f944e844ec8b5d4

    • SHA1

      9a8aabb5ed9387cebf5f1ff4216f1c02b28a0603

    • SHA256

      cc7742c8001c4a7afeeb3158d2ab1ec0ba7e424607202fda0368e3c083efc012

    • SHA512

      1abe32d98d730410ae3cec75228d4ee70b7606a44c0cf502df169d82dcc018c891003815a9e4d9ce84067bfc5fcace37565fb08a882da458383d117213a39a50

    • SSDEEP

      6144:KTy+bnr+9p0yN90QEe96G62nMPR65VwH7LG5Zbnw5ntw8evI2aA:hMr1y902g2MPR+6qnStJevITA

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      d2c05517b061fa2c2cea3ca1c6534fc1b6939fb680a9f3a6c347b5e3161fe0e5

    • Size

      488KB

    • MD5

      907a221d32e150352febcf2204660a16

    • SHA1

      a596306aced667dd95fa3e0256e7bbafd9d939c2

    • SHA256

      d2c05517b061fa2c2cea3ca1c6534fc1b6939fb680a9f3a6c347b5e3161fe0e5

    • SHA512

      91c4abcef149e0e4fb632bfc609fcc3bc4f506a92c340df727ab3d036aeed174896b369728de1f81d44aed36bfe96e6561aecae45b3cc10d1a8cdbb905570a9c

    • SSDEEP

      12288:bMrBy90B4tAG4Rwa2z74fIUp6GRngNEZ:OysgA92a5fZ6oc6

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      d5755dadc9af9cde67934873a4cde67dc43f1cec089cfbeef71140b67d9912b2

    • Size

      1.9MB

    • MD5

      8fab5525761a1e1d513d3cfcebc2888d

    • SHA1

      eac452385c6204d132a3dd067722a0f1cc2e0b55

    • SHA256

      d5755dadc9af9cde67934873a4cde67dc43f1cec089cfbeef71140b67d9912b2

    • SHA512

      0da86ac9da17ac45728383181dbbe3239043dd0275ed228f2eb0774df29cc164f18a5fc43a8bbc07eb815cbab733234def44df6c8aaf6e792ee66e316afa11e5

    • SSDEEP

      49152:e9TyReffFJi5631lw0OKRoXehFCM+2md70sZB:0GSJ00UbzW/jC7

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9

    • Size

      51.0MB

    • MD5

      334d3992d07061c6b20d08d200811aff

    • SHA1

      c896f1f24fd0af2d523946217fb556fadfac3304

    • SHA256

      dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9

    • SHA512

      6d10bc11d0792c2ef63ae0564df650ec1c7e3a776bf3df3df7097cb5fd3477a173b8dc2bd36628f67a312b766bf684626ec6221be9d259425dad65309f791b4a

    • SSDEEP

      786432:n14+ls/Zo30hnFnAZZhGJHJaIKYlPLkkAt9lMe/HMrGQgQGmLIqFGkCRFrmT:14++iEVFnAxGJfljDeQgQGLqNCjmT

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      df3f16beb4d3acd1e8b8534de7bf5cb57197e6dd26e6a178646e38030fc4fc20

    • Size

      488KB

    • MD5

      8d7ad3e241546b03c8bd657b8d568bcb

    • SHA1

      6671ea22e88780e9f444771b0266c480755f2aba

    • SHA256

      df3f16beb4d3acd1e8b8534de7bf5cb57197e6dd26e6a178646e38030fc4fc20

    • SHA512

      89133f1cf9dd703b3f9f4994166fabba1409ae1cac86b08a8c68ccc510d3f10f83f3baebaf5ead2bf49b586ebdd1b545b0922b5e6896e5f32129cb8a7980c1cb

    • SSDEEP

      12288:1Mriy90xqAYIAVpmh3+zKlOScaPc/0Md:zyHAYrGGScau0q

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      ee8298cd5d9f8bdbd454fe9ed793c212861949a01d7aea4e943358d34afb033c

    • Size

      8.0MB

    • MD5

      938f076af32c6e71c92278b53dc5a9ef

    • SHA1

      2af91e918bec246f859ffa7973ae44fca142b8c1

    • SHA256

      ee8298cd5d9f8bdbd454fe9ed793c212861949a01d7aea4e943358d34afb033c

    • SHA512

      2ae63090cba3f31415b7d9d1d8ac86705db05a4f2ea212f3b928789778089133f4d15256284887ab479dc98d4cc785d246be47662f96c77a231ff4d989ca6da2

    • SSDEEP

      196608:klg5R80HmLprSPddX1duraL+t59MkQ8/Ns9cI1/Xn:ksRmrSPdD8raL48j81Uc0/X

    Score
    10/10
    xmrigexecutionminerpersistence

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral17

    • Target

      f74cd80563ab797e8c60d04e362fc823973dd8e96a656012d2d623ef7ad1c88e

    • Size

      1011KB

    • MD5

      9678a0208c8f4189e9e2040cc7995981

    • SHA1

      c8747a43217c65583fb373ad98a549c8e5955297

    • SHA256

      f74cd80563ab797e8c60d04e362fc823973dd8e96a656012d2d623ef7ad1c88e

    • SHA512

      2074dcc76e1fa6da58cab46fbea13055fddf2a5f2202b643e80271af452159a4b6f5e4f5765b55414ebb0934dc3e1c2425a873c036c749479b40d6da960583c8

    • SSDEEP

      24576:LeTUiTveEutGQatHz06ZbVQMsMqVsMDW3yVs:LegRtLatHz04A6cVs

    Score
    10/10
    redline5345987420discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      f94038b1f4a813ae30ed5d5239f2cf7c7bb3eb904647ecda548e389a93b7456e

    • Size

      1.2MB

    • MD5

      96efbeac15b74cc31414b0dcd8846b33

    • SHA1

      d1bf7bdab893c6344f5a2519e15f96e83196b0d5

    • SHA256

      f94038b1f4a813ae30ed5d5239f2cf7c7bb3eb904647ecda548e389a93b7456e

    • SHA512

      7ea87fbff048622a76c5777e692aa92d3d394c2e5e65316ba86c7eb2b29857f53d7caef934560fbc016e6eaf0b5adc71487e893539af3847ad6e2fa54777435c

    • SSDEEP

      24576:8JXyijJIK8li6v93OhJjuMsYqRwDsLC/LzWVTHYIE9u3fmLFy8hs:8Jixli6v93OreRm/WVrNXIFzs

    Score
    10/10
    redline@fgkyleoffdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral20behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

3
T1053

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Boot or Logon Autostart Execution

15
T1547

Registry Run Keys / Startup Folder

15
T1547.001

Scheduled Task/Job

3
T1053

Privilege Escalation

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Boot or Logon Autostart Execution

15
T1547

Registry Run Keys / Startup Folder

15
T1547.001

Scheduled Task/Job

3
T1053

Defense Evasion

Modify Registry

30
T1112

Impair Defenses

14
T1562

Disable or Modify Tools

14
T1562.001

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

6
T1552

Credentials In Files

6
T1552.001

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

7
T1082

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

evasionpersistencethemidatrojan
Score
9/10

behavioral3

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

redlinedebroinfostealerpersistence
Score
10/10

behavioral6

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral8

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral11

redlinedebroinfostealerpersistence
Score
10/10

behavioral12

redlinedebroinfostealerpersistence
Score
10/10

behavioral13

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral15

persistence
Score
7/10

behavioral16

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

xmrigexecutionminerpersistence
Score
10/10

behavioral18

Score
3/10

behavioral19

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral20

Score
3/10

behavioral21

redline@fgkyleoffdiscoveryinfostealerspywarestealer
Score
10/10