Overview

overview

10

Static

static

3

0c6c2d0289...f8.exe

windows10-2004-x64

10

149fc3f5cd...c0.exe

windows10-2004-x64

10

17abfd1473...cb.exe

windows7-x64

17abfd1473...cb.exe

windows10-2004-x64

17fde5d9ca...37.exe

windows10-2004-x64

10

51b44e7fef...e7.exe

windows7-x64

3

51b44e7fef...e7.exe

windows10-2004-x64

10

5edd9114ea...eb.exe

windows10-2004-x64

10

607e9555a1...15.exe

windows10-2004-x64

10

771bceb036...61.exe

windows7-x64

3

771bceb036...61.exe

windows10-2004-x64

10

86c5796c09...91.exe

windows10-2004-x64

10

8e17ec5c24...4f.exe

windows10-2004-x64

10

9d868256e0...f2.exe

windows7-x64

3

9d868256e0...f2.exe

windows10-2004-x64

10

a4fbd5dfa9...dd.exe

windows7-x64

10

a4fbd5dfa9...dd.exe

windows10-2004-x64

10

ab04398202...f0.exe

windows7-x64

3

ab04398202...f0.exe

windows10-2004-x64

10

ae84a96154...3c.exe

windows7-x64

3

ae84a96154...3c.exe

windows10-2004-x64

10

b6d80ad1fb...61.exe

windows7-x64

3

b6d80ad1fb...61.exe

windows10-2004-x64

10

bdc8be1708...f2.exe

windows10-2004-x64

10

e50229ae81...53.exe

windows10-2004-x64

10

e74fd85e9a...2a.exe

windows7-x64

3

e74fd85e9a...2a.exe

windows10-2004-x64

10

f09814000e...42.exe

windows7-x64

3

f09814000e...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    7.9MB

  • Sample

    240513-kl5wfaeg31

  • MD5

    2a6db81134c1f64fc9489b3a8b158c30

  • SHA1

    b99f46bbc598583fbfb22d2f9a81bb30fbd78b43

  • SHA256

    ae29634c421e7fae872a93c040b896ad770641124691367109255096c87422ba

  • SHA512

    e5809d2db6d276981e3223a2a63235fd9d6182047072f85335f0f9bbcc3bbf331ec04c34c5f5202ec8fb1063d94755026d58e5a11414f4e8ec061d34e1d42aa2

  • SSDEEP

    196608:yeEh03KoC1f6Zo4UjPqsKLt4+r4KLdx33+OQhTa+A1gtw2RoJ:yeTaZeNU7yi+N3ohTNAatzRoJ

Score
10/10
lummaredlinerhadamanthyszgrat51955525297001210066@gennadiy_mudazvonov1debromixadiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Extracted

Family

lumma

C2

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

https://smallelementyjdui.shop/api

https://cassetteprodueiwo.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Extracted

Family

redline

Botnet

@gennadiy_mudazvonov1

C2

82.115.223.236:26393

Attributes
  • auth_value

    6bda425a78ff4c6e5a0e1be9d395ecce

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      0c6c2d02897cd3a48d87eb9ffccb7da326368f5af9973827701f7f11a02f33f8

    • Size

      488KB

    • MD5

      6db49a95e667692ec21e46a40379b81f

    • SHA1

      2d4a57435a5ff349ac5b9db8485a4a1e7d4aa700

    • SHA256

      0c6c2d02897cd3a48d87eb9ffccb7da326368f5af9973827701f7f11a02f33f8

    • SHA512

      ef16e77b5398ce12031a69603d9a0c8a97661193e88e1d8f3cefd8e6848f7044554feade11190d0b580901894a11aea539d7715156bd91b02c075579a9c53329

    • SSDEEP

      6144:KHy+bnr+ap0yN90QE8japPvZZXrsPZ0zNuxthOHHpHhzv9XDc6WtTcQ7Zlo7s:lMrGy90nj7sZ0zNWIdhRXDcVtTcWHoI

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      149fc3f5cd338e71229ff8913b45efa9eb6bbfaec5ab3b5a441eea234cd6dfc0

    • Size

      316KB

    • MD5

      1f2f0d7ffa427f1848e4be58812200f3

    • SHA1

      db92dede52bf27679cd478c524bab8fd199c09b8

    • SHA256

      149fc3f5cd338e71229ff8913b45efa9eb6bbfaec5ab3b5a441eea234cd6dfc0

    • SHA512

      f96e5b7d18ff5848124700b5b84f38f3ae60b4012ba84b68543ca8a3a18461e63182f9495619b2c30658642b5ca504d2d8d0098c48ee229e04c63d28cac39103

    • SSDEEP

      6144:K7y+bnr+Pp0yN90QEs96G62nMNsEdbQFJiqn27Imuh90emN2cq:dMr7y90Yg2MNgUqn0I190E

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      17abfd1473344da57bce6bc87592d1bd502496e07f9f5f05088113dc5835dfcb

    • Size

      1.2MB

    • MD5

      1d267ce48d4f4de44a562dd00ea333c9

    • SHA1

      e539eb34642045c760a49e6d78709cb2aa796f19

    • SHA256

      17abfd1473344da57bce6bc87592d1bd502496e07f9f5f05088113dc5835dfcb

    • SHA512

      c1b080399fe26341ea56e6723e036c63785f4e33b03fd429e7ee210233893f4ead22d651ec71da0e85ecb4a97119597a76846e83fd8add038cd239fc6e7d9e10

    • SSDEEP

      24576:cS3uibPmcOFD6uH/nqDkQMsE1DeD1T8/MiOQ07Is:cS+ZFD6uH/njfnkh7Ms

    Score
    1/10
    behavioral3behavioral4

    • Target

      17fde5d9ca56c86f7c55a06c86a5f499da4e8be448da902e8bca4b6a2ab62037

    • Size

      316KB

    • MD5

      700ae249a1b5335cd43a6f464e36e5b1

    • SHA1

      4c23d7d927b6ae4eca55224a77c65e73561140e4

    • SHA256

      17fde5d9ca56c86f7c55a06c86a5f499da4e8be448da902e8bca4b6a2ab62037

    • SHA512

      48f502da66c47d0a81f0170cf5e4e11e2d496db9fedea3edccedf4711197afde1e63889bc48d82e0fea594af03842160bd3bf57c7f60d399ef26547203ed48a3

    • SSDEEP

      6144:KEy+bnr+Rp0yN90QEh6vZrMgX3eYK41E8OBURKaJct:MMrJy903mN3rKWOmEaet

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7

    • Size

      315KB

    • MD5

      290b0115d137ba7f6f75557dea9a3418

    • SHA1

      4fd841d032858a7bc39d598eca329371bc48a118

    • SHA256

      51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7

    • SHA512

      b843b5beea655f803deb8473cb9ed4f06e0d99c46480dcce39d321b1bcb4b4dff4350bd7c41f6ca0f3eaae31e73e9351ec5de920eddfedc809f119effe362a34

    • SSDEEP

      6144:8A9pI60nbM8uPZy3+8KIDJgu+PchgHadTi7ZiEfXHS:H9+60nbnueg3cy6RFEPHS

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral6behavioral7

    • Target

      5edd9114eabff0eab414379df54f27cab95470cfb3b9afacd8d2b0b81cd6c4eb

    • Size

      488KB

    • MD5

      23f01cf0bf048e2096c7d36467866f41

    • SHA1

      b5cfde3d76c919ee112f2f79ddea6c81306eb798

    • SHA256

      5edd9114eabff0eab414379df54f27cab95470cfb3b9afacd8d2b0b81cd6c4eb

    • SHA512

      6d623c0c4a2a752ff3fe2e19b2afa4456c5bd236b70fe44f30ca82dc9a610fdc2524a201e08cbcd2a10959e916024eddd597f5885e7d236167d92adb902af99d

    • SSDEEP

      12288:5MrRy90J+U37EBfCMiEWyWt3FzKlOqEa1KTfDLqmNXP:AyodwBueyBqEa1KTfDGm

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      607e9555a1d7b53a7b0df44d97299b13591bb7307f032dbcbe651804b1fe0b15

    • Size

      488KB

    • MD5

      1f45948eea5057c9c11fc3d67acc108b

    • SHA1

      36488f4f3470bb268a5b615fc31ce5582b33c527

    • SHA256

      607e9555a1d7b53a7b0df44d97299b13591bb7307f032dbcbe651804b1fe0b15

    • SHA512

      93f0ee5c932a8bf91a432f0737cf72b0466e5f5f2230f7b7fd53a410cdb81e180596ee63214bd2b09ce857b0b31916971514ec6fc5c248aa46ad74c7d1ff3fab

    • SSDEEP

      12288:VMrxy90PfMtZcBN+UHnyG/4fG9py9DsZ37WJco:gyofccBifKya37W2o

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      771bceb036dc1bf0625c875d22945c0c97f1c283c24445478fd60b0d1bfc6861

    • Size

      1.2MB

    • MD5

      2b38a7d41cb74614ef5f78ce65f78d81

    • SHA1

      1b7131fa000f573df217ac4701fa1fa6092a6e81

    • SHA256

      771bceb036dc1bf0625c875d22945c0c97f1c283c24445478fd60b0d1bfc6861

    • SHA512

      975b3432c0b145d5f3bacd980f947e5cb72cfd5096536209e31538da03667a265998fd56b4f8919abc62565a896b18e6990c579b9696bdaf6632168d1fba2ad4

    • SSDEEP

      24576:S9LDiCMrdBl9Jacrzhm1UCMskmZHDRMHr6dfeaZFjGs:S9/gl9JacrzhBOeeeaZFjGs

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091

    • Size

      769KB

    • MD5

      2192e78e226ded3e90153939253bb995

    • SHA1

      eae212316fa4f120c7e25b8e7160d2c1a4dc8dca

    • SHA256

      86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091

    • SHA512

      aff8c63b8d61d4b0a2cca130272529c63dd8061169072e7d85e790ee392a1e245e60a360b3e6eb1b27bed2b70e69efb4b8f78ce2d24c1e8f9935c7877b9ccbfa

    • SSDEEP

      12288:MMrIy90UKF36qwIwHydHGTk/KrONXaTKnqReJaT/S3pI27JsPKqxc:cygAdKnNXaTpwm63SSmPzS

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      8e17ec5c24044e48320486209beaae1614288ec7a5612818e3d0c2ee0e331a4f

    • Size

      316KB

    • MD5

      213ff3feb0af96e19a3e8ec718d69a27

    • SHA1

      c98fa1e6179f2c20e1a1a1056e0863997e70ea7a

    • SHA256

      8e17ec5c24044e48320486209beaae1614288ec7a5612818e3d0c2ee0e331a4f

    • SHA512

      9ddccbc36cd0618ef951866a76c15156c48fc6d67b8519a19360c7684ec154902a520b25f93bd8cfe2607dcd67431d04200ba731e3b4d74a0606af9518a8cb1a

    • SSDEEP

      6144:KFy+bnr+Lp0yN90QEX6vZrMgX3eYK41E8OBURKaJV:jMrny905mN3rKWOmEaX

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9d868256e0187fdb9c4a132bf032719805f8777e82d13bb5fe9e43e8477652f2

    • Size

      1.2MB

    • MD5

      224f753c63bfb5417069040eef0a56ee

    • SHA1

      b35d6b49344b0db211371f97a731a11b17a6dc8d

    • SHA256

      9d868256e0187fdb9c4a132bf032719805f8777e82d13bb5fe9e43e8477652f2

    • SHA512

      03912eadf017471b080803fa96419e8ae1cabd1608439e41b8d0113f9c768aae383b7fce7735fb995c3a4780077b7f1015d6e0178bbebb806afe919997231489

    • SSDEEP

      24576:BMrDSiyJIK8luK3932JQ9bMsYpZSDnFuc+eiNNMlAts:BMiCluK3932m6Y47NMlAts

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral14behavioral15

    • Target

      a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd

    • Size

      281KB

    • MD5

      224ebb289e52c9f3a4c2bd583dab2d7c

    • SHA1

      8cc0b7dd2fad4fac37cb87ab3c5027a061fdebb5

    • SHA256

      a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd

    • SHA512

      ea21feaa211f24f25106c5ec7825f575ad9a2e1d582a9908107d9a9b866db2baeedfc6fd4c6034d492c61491bc06d7c5cda14a31bce6e59c24a9c9537d7d2e2f

    • SSDEEP

      6144:Wk65a4mpI1TJe8makPXbhaEW1MvBf5rXweiV/:uMVAJ8PX1aEWapxjm/

    Score
    10/10
    redline@gennadiy_mudazvonov1infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral16behavioral17

    • Target

      ab04398202a474f3e0102a37e709eef11730126eada5cee105c90c4b367107f0

    • Size

      1.2MB

    • MD5

      25baf8fe36b6dafbe1e57f1ce0222ab1

    • SHA1

      369d57e7fb1537133d0974e7a4bed0ef6caca4cf

    • SHA256

      ab04398202a474f3e0102a37e709eef11730126eada5cee105c90c4b367107f0

    • SHA512

      2a6f32e78da14369f0e8318abe61f45b267d22fea0670e5b97463541ae6a5bc3546cb685a1b2a8a3045cc063a2e1110d2ee2ccf3c39b8e298f8c1aa3eab797c8

    • SSDEEP

      24576:ZMRqNUuIoPlMdHs8fvIvv2qJCLHPu4CNXeHZST:Zm/oPlMdHs8fvqD4PONuE

    Score
    10/10
    rhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      ae84a961544dece93229953207f8c80747b6a606377bd6920b5aed289b1eab3c

    • Size

      297KB

    • MD5

      6c3d589c8083af8f03b50d3e5cb3028b

    • SHA1

      893c4bbb2be8ebba54c18345a0c2c8b512da69b9

    • SHA256

      ae84a961544dece93229953207f8c80747b6a606377bd6920b5aed289b1eab3c

    • SHA512

      aa11105f5a68a13ccc391ebbd11cd60965979ac40fd50b692a2aada85daf8444c31f69f6c434e91fd4e6dc608b9c27c2d1bbb908dfa1e367366890aa99dbbef1

    • SSDEEP

      6144:tk87zE8yF+JnF/1VVsNxnXW0+scVpoAcyyTdgYK9djWvCoCe:287zE5iwNFWKKC4OdU9dnoCe

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral20behavioral21

    • Target

      b6d80ad1fb778375158ffcec8a66d0ee8975e23dab1c4c954fd439a0cb714961

    • Size

      1.2MB

    • MD5

      21d03a07515c5a571236972c15624dfb

    • SHA1

      eaa64143d8752cb82a1fea178b87c2a516839593

    • SHA256

      b6d80ad1fb778375158ffcec8a66d0ee8975e23dab1c4c954fd439a0cb714961

    • SHA512

      53c0f4e6362ec9334a7c794cb49a5387e0e49484e62450839793a944b388db9bf1f10a200a5c1f030d6a24092952a30b08af08faa06e86dfa067c33d405c669b

    • SSDEEP

      24576:aT7wiAeljlFpyjlHKhhu7MsCEkmDkApjmURdNvSmWjiMwHBs:aTcYFpyjlHKOV6i9RXFWghs

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral22behavioral23

    • Target

      bdc8be1708b12d406d76b4c6d9cb66fc47101b1a34bef22f58bdec7f873b12f2

    • Size

      316KB

    • MD5

      6d7aae742f92b9d7649d006bbb032d43

    • SHA1

      ddeff69dfbdf10903d566b3ad0a3d06681a81df7

    • SHA256

      bdc8be1708b12d406d76b4c6d9cb66fc47101b1a34bef22f58bdec7f873b12f2

    • SHA512

      4ab76eec7f2841f516ff6ce930abb2004431c9ee9cb307ec437391c47a0a3843c0fba7b4b4b5163e462fb1f55ed55fd19c14da45df90a90577c93b8a4cadcaf3

    • SSDEEP

      6144:KPy+bnr+4p0yN90QEW96G62nMpfj3uXN9RUMuaozOKV0:VMrwy90ig2Mhj+baR3X0

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      e50229ae810e4ca9fea69dbb2c9c964cfb85ddd1a8bd885bf8beedb496393253

    • Size

      488KB

    • MD5

      247f9586f4eb5afd06c97ca283661ab6

    • SHA1

      9614ca472a7578dbaf82123454cc7f3ec227d631

    • SHA256

      e50229ae810e4ca9fea69dbb2c9c964cfb85ddd1a8bd885bf8beedb496393253

    • SHA512

      68f235922e3de20809160638b3acefaf02c0b260925ced641bb041cf8aa758077fad048fd4c06c54edbe3563b0ba96a6d86c7b763985501b7ea5a9bab89e6470

    • SSDEEP

      12288:TMr+y90PCPEiP0fFrupWSXsb4fuRpbjFXSXQj:xypLP8FoIEfYbRCXQj

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral25

    • Target

      e74fd85e9a34e530d0f2821f66b2c0707873528c420366915b22283baf9adc2a

    • Size

      1.2MB

    • MD5

      6d8795ea727723893087cbeeae415422

    • SHA1

      1ee878cc7c49d0c395ea8b37261eb4038be2349b

    • SHA256

      e74fd85e9a34e530d0f2821f66b2c0707873528c420366915b22283baf9adc2a

    • SHA512

      9e9dbecacaa791dd4ad7393635420bc423dde8fada60f9b733ec926e363ecb0642c700fa4fe73611440f6b2e2bdc849869ca7f1a1418666635f3fc33c610f6c8

    • SSDEEP

      24576:WzRSiJH28+VpdGfVDeJJmJMsGM5aDEJe+qX6UXMqa5s:WzUfVpdGfVDe2PlqpMqa5s

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral26behavioral27

    • Target

      f09814000e7cb43d244be02b82ed9e60e120494de3b1919428114f861d94a542

    • Size

      293KB

    • MD5

      211600fc9d7a1bf494c8192d479934b7

    • SHA1

      fab67178bc9529a5abdd33647028ca9d7d3a61ae

    • SHA256

      f09814000e7cb43d244be02b82ed9e60e120494de3b1919428114f861d94a542

    • SHA512

      d23e060d62722bad4d258e0742d23e17ba375e930a23e3a6323735944b07f4f26ab74abaaf81b41f1f0fcbe3fb8f0a02097e45df40ff606c1100c9ad7f272aac

    • SSDEEP

      6144:eVwlC1u/z2xPFdGXz3F/CpFbrCl1vdewk4VY1naO0:I1u/z2xt8Qp5G1vdxk4VYQO0

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral28behavioral29

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

redlinedebroinfostealerpersistence
Score
10/10

behavioral2

redlinedebroinfostealerpersistence
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

Score
3/10

behavioral7

redline7001210066discoveryinfostealer
Score
10/10

behavioral8

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

Score
3/10

behavioral11

lummastealer
Score
10/10

behavioral12

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

Score
3/10

behavioral15

lummastealer
Score
10/10

behavioral16

redline@gennadiy_mudazvonov1infostealer
Score
10/10

behavioral17

redline@gennadiy_mudazvonov1infostealer
Score
10/10

behavioral18

Score
3/10

behavioral19

rhadamanthysstealer
Score
10/10

behavioral20

Score
3/10

behavioral21

redline7001210066discoveryinfostealer
Score
10/10

behavioral22

Score
3/10

behavioral23

lummastealer
Score
10/10

behavioral24

redlinedebroinfostealerpersistence
Score
10/10

behavioral25

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral26

Score
3/10

behavioral27

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral28

Score
3/10

behavioral29

redline5195552529discoveryinfostealerspywarestealer
Score
10/10