General
-
Target
red2.zip
-
Size
7.7MB
-
Sample
240513-l1zhmshd5t
-
MD5
44465972d0d5a4acfa91fd15910c8636
-
SHA1
36b7bdb40022d666a7f89f07a2b0c2fcef92d85b
-
SHA256
fc0a70936e6485ae0ce312ce6ff394d0d21759de4bc9ea9b5e01544d951535c2
-
SHA512
c9b14ca7673a86017a7430c2a3bf58f056aa5507e5424deb138e51a01249fd2f341d656613e140d8b4adcaf7ae853dc44b8bd2068c198798f203a04def63d3c3
-
SSDEEP
196608:+E1aHTUbQm+sQj06e+0gQhEvFEvkxl0o65U38qaCJObOKgpa2gwqlWvP:+EEpm+zJeTgQ7k70o0qaCJZjmy
Malware Config
Extracted
redline
mixa
185.161.248.75:4132
-
auth_value
9d14534b25ac495ab25b59800acf3bb2
Extracted
stealc
http://147.45.47.71
-
url_path
/eb6f29c6a60b3865.php
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Extracted
redline
@qwerabuse
45.15.156.167:80
Extracted
redline
7001210066
https://pastebin.com/raw/NgsUAPya
Extracted
risepro
194.49.94.152
Extracted
redline
5345987420
https://pastebin.com/raw/NgsUAPya
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Targets
-
-
Target
220f464b76f6cb53d1ee73c2d90b0ada5c8cc5d2a80bd9d4fed4a544d73721f3
-
Size
316KB
-
MD5
360ffdb3ec16d9d16ead7a7ca87eed0c
-
SHA1
570cbea4e7c59443a5545c07452bf7dca921ca9d
-
SHA256
220f464b76f6cb53d1ee73c2d90b0ada5c8cc5d2a80bd9d4fed4a544d73721f3
-
SHA512
bfe1d93d43acb599049ba62ac30143eac25942b507c3f9231fc3e05fa0d7810149b6af53c6e68437a3df32e5624367d72b0149f0e1872766992f66d9a8724ee0
-
SSDEEP
6144:Kvy+bnr+ep0yN90QEY6vZrMgXGma0+qSNF1liJHpOZvA0:lMr6y90amNRGfNMpJ0
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2743aa58ac87e72c969f8baff90a46df51144db6b46e42137bec8f8ffe030422
-
Size
208KB
-
MD5
3939a18c836b8e41a6f4e358002de48d
-
SHA1
13750e204ac84b63fd447cb28f42b8ac8e25033d
-
SHA256
2743aa58ac87e72c969f8baff90a46df51144db6b46e42137bec8f8ffe030422
-
SHA512
ab203e30ee850fbb4a3fdae2dda8769597ec96729578f55e61c1fe89e31de23c86f9ae1ca7904a9c5c53dc2c3c3d30096f2da0a220ab2838e923926faf1d7f1f
-
SSDEEP
3072:KUszX+YhFJOIwz9jnJTvT8GiJIl1yVuTolD3oc+DVWGQ+BsQEp6svwqJSo6BLMs/:TiOYfJDk998JIXygbHXQ+BsQvsv4espF
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
2ce9158850627f9719e666b3f93a1508443159828dcc0aab91110d608c67b893
-
Size
488KB
-
MD5
e497999210c7a29f76267bf656a8d5a8
-
SHA1
179871c4f25eab45c4590d4392f43109b0436dba
-
SHA256
2ce9158850627f9719e666b3f93a1508443159828dcc0aab91110d608c67b893
-
SHA512
9518cf7b92a4b4b56632437bb45950a9e529fe75e2749e404fdf0eb234e462752c3592b59063c511ab4630dbd9238cf8dc8ae94f53d77e9d8cd6e5364e9f88f3
-
SSDEEP
12288:7Mr6y90Pn98+bCRM+vppKT9t4flMp1NPBL:dyAHCtjBfcrPp
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f
-
Size
315KB
-
MD5
3d4c73f2d10c4ea03e9f55af41a02d7f
-
SHA1
e9f70b120dbab724b88c37161e5df5d8607d7500
-
SHA256
2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f
-
SHA512
05122b99c10edc0ea4b69f471daf0ce182268d505166e05a69757016f7f87b5e031911c8efd0e6722691b236df5bf2bef74f7a315d9c6c2c6d1e363bf9d98f27
-
SSDEEP
6144:rI9pI60nbM8uPZy3+8KID2YuDUtMXVgbhAZdxldn+kXHS:s9+60nbnuNYV2glAnjJZHS
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
6a183f77b983e6c003810991feea77693c5603a5e5ebca149d3e4ecfdcc2827d
-
Size
769KB
-
MD5
4dfeaa231c4fc0485c09275c5c9f1d18
-
SHA1
e1d24d0987cc158889fe7383c177c85875c4b33b
-
SHA256
6a183f77b983e6c003810991feea77693c5603a5e5ebca149d3e4ecfdcc2827d
-
SHA512
f9daf8b0c8b33d6540bc7c11a2cdba9b9558d5093a9f15a7484ee5d41d973ef72cdd446af190a3d13e4a84d1547bfd0cf093500194399ccf0a3b4a78af54a4d0
-
SSDEEP
12288:/Mryy90VCFFafw38ohrSMioWCW33fCKSOEEaeKTNDLqmNwHAkrzdaTR4UMqxB/jz:py4Whhy6+BEEaeKTNDGSN/M4lCsB1
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
77274817210948a1fbb7d40ad1a99460ad22b9558203091765c377ab9b074874
-
Size
208KB
-
MD5
47a48930888e190fdf03fb059e7de474
-
SHA1
c155265a215b375f2caf326bfc614ad164ad3a61
-
SHA256
77274817210948a1fbb7d40ad1a99460ad22b9558203091765c377ab9b074874
-
SHA512
a7dc68c80831365592e413e042f4997bc06430d106d202c35df276e4cadcfbbff2ebf53c8d3596382ab8c7a6914b4898e978ec2644db6e66a62d7940da913006
-
SSDEEP
3072:p3EzoOopVBOQwz9znJTvT8XB6I7Ho5JGbtohOkWgOe1MpcbSBLMspN:pqhonBb09t0ZLWJGpJgrupwSespN
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
951f93d281b72cbee616455728a3885d88e2ce7083c529de95ab9de3efe14ff8
-
Size
248KB
-
MD5
3bbed8da8e3a21895e4ba9ebce954c84
-
SHA1
c3481104afbd23524a03479d90076bc26fd576cf
-
SHA256
951f93d281b72cbee616455728a3885d88e2ce7083c529de95ab9de3efe14ff8
-
SHA512
1fcf2391859a1acbb03fdf7e55a1ca3ac3b2bd03e7214d8065c41e4ead8389ac00929a31102e36f171f9eb73e24bb670e52e595409d385a96c81cb643cdf6133
-
SSDEEP
6144:IaRI3xL/9tToM3IdVLU8tck4D5YupM7g4BEzdespd:I8Il90bAg4DF4BEkspd
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
9bba18a18011c572ee6b56cde220be7a07f51e4e0f2cdf0a4ebaf3bd06feca52
-
Size
488KB
-
MD5
4d0af6791a4c8f1017b42ffc9359e847
-
SHA1
e236deac47d484605723936e905b5b9fe5c8d428
-
SHA256
9bba18a18011c572ee6b56cde220be7a07f51e4e0f2cdf0a4ebaf3bd06feca52
-
SHA512
dc4fe46ef0f9144a2392388dc1801733d755034a6083cb6c38d8b9a4f3b3fac94e92bf4512d5b6b073612190f710e6f58810ab9497dda53fe3faa8fc18603caa
-
SSDEEP
12288:CMrIy90kaycy09XfhPA4h1Uqn0l190xbtWl:OyoyD09m4h1UqnGYxol
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
a467111c1a7dd3af8188b3fd8536d689b84b136a58f62e8366f78d309b1bad4b
-
Size
316KB
-
MD5
3f28a220d555d7f84763f4fe14c5e30e
-
SHA1
6844171e7db3af8480e85c49732e8e26c0fea7fc
-
SHA256
a467111c1a7dd3af8188b3fd8536d689b84b136a58f62e8366f78d309b1bad4b
-
SHA512
7ede895705631dfabdf2fb5a700495ed6aa265328c9d51edabbccaf8e1ed60661dfabba15c2e667191e02ec9694299fbb88a0a5c236b5590f28c0ec648aef08c
-
SSDEEP
6144:KHy+bnr+Xp0yN90QEU6vZrMgX3eYK41E8OBURKaJjl:5Mr7y90emN3rKWOmEaz
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
b6b30a924e3f969aba356b4a964cb4abb9fddd40a9a6d9068144b799e997a80b
-
Size
769KB
-
MD5
3d766587e52855bf541c62f777efa455
-
SHA1
21665033b9cf03050f016dede36990b37968ddef
-
SHA256
b6b30a924e3f969aba356b4a964cb4abb9fddd40a9a6d9068144b799e997a80b
-
SHA512
2070a54c14cf24b80d1d9aa0203ffdb17e48b79212b296c6982a15c79ad023f40c3e9d3e51af12675e28e2b62acd2ba2166621df38fa78fb9f2d47efd1430d14
-
SSDEEP
12288:6Mr/y90GlTMDFbYUzxQ8UY757qnC2CpMKK8O4WaKWPZA7o4l+jKoIikP+SYaI:1yje5z28TlmUo4WaKwOo2+jpvkNi
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
bdacff51fa5404ce6f24b89ee15c9de1591f3b0671ffcdead018c8136b56522b
-
Size
769KB
-
MD5
3bde8d4d11d1b88c76a466f3d1f34597
-
SHA1
b2aa234cf8cff2c0c5ef85b4788a57fc6b74a22c
-
SHA256
bdacff51fa5404ce6f24b89ee15c9de1591f3b0671ffcdead018c8136b56522b
-
SHA512
c6b21900ca1ea450807bb70dfbdf3190b82cb6a7f83dc17e830328ec40694443f5b90696f9cecce49978540e9ee77794b8e1385c549d85b133e2c1e12ff9a80a
-
SSDEEP
12288:5Mr5y90mOrYMvDIyWIbVTmR39GKNOdcaIc/cstSuz1U1oaI9z1mMNHVx2WKM:Ayrny4MdcalcC1U6HVsWKM
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
c37c4fe673daf8c4e8e21c607e393cc10eaf650294d08cb4f702da5fa23f0eeb
-
Size
488KB
-
MD5
e2f1945db2d8b09ce0863f06b10793fb
-
SHA1
d4097df537b990222d4b7b01661ea99167026b7d
-
SHA256
c37c4fe673daf8c4e8e21c607e393cc10eaf650294d08cb4f702da5fa23f0eeb
-
SHA512
f4d9ef38bfc3688b57042c3a186c34e142f8ca475669f6ec9a1d817c957f7809de26514fd40e27236080e8faf4569b64950e823f401175064161f13fa377123b
-
SSDEEP
6144:Kiy+bnr+5p0yN90QEkK5LnkW4nZNMlb235upK9zNDUWLIoma0AqSzF1LiCHpjZ70:WMrty90p5Ltw5upKz9G4fz5pXmLmVU
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
d0f3f32b61b9e8c20cd73d28b21a5e034041570a81ffd7bddcd760bc2f8a5538
-
Size
501KB
-
MD5
481a6a93cdc1991a33aa1619235084ac
-
SHA1
505d3069c350fdc7750bd23d89985c831bd1c01c
-
SHA256
d0f3f32b61b9e8c20cd73d28b21a5e034041570a81ffd7bddcd760bc2f8a5538
-
SHA512
ca08faf83252809be0f8f33343d4ff4e9742d68dcd86e04e2b17eda41ccb245042856dbf73fb1b3742ee27491d9f236d1dbfa91782ead8b09c9dc26f883478fb
-
SSDEEP
12288:6ZJQdCWme3O0X4aclyuoxVj0RteVtD57qyL98V:CedCWdofyuoxVj0RtqD1Z+
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
d353176614b7dd329d9f436d6a34f007c32540fac4c5f4e3f2884d89ed599fe5
-
Size
488KB
-
MD5
e6a588dedbf9392a89dd519d40515437
-
SHA1
4a3083750936eb7e16b7efad425452d6c1c6278f
-
SHA256
d353176614b7dd329d9f436d6a34f007c32540fac4c5f4e3f2884d89ed599fe5
-
SHA512
2bb4912a75594d1daaa20812b390494e03a9cfd5119ea5c7b0809063111b8e5bc0afc9309b96b8586bc6c6ad1e54f3c6e0621bf6c40f094507a372c40a411b44
-
SSDEEP
12288:hMr2y90o/lhAQkVLWuMJUO9vCsde3OE3o2Vim:7yBKQsyudO9vbP27
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
d49811a818845606218cd8436043886ebf6fa2d750248ad4f7f09d197c31db06
-
Size
1.2MB
-
MD5
e6d4ccad375cff5e8d42d28878c73dbb
-
SHA1
a9189ec9303816b6fb13f7cfb5fdd5cc98ca9e25
-
SHA256
d49811a818845606218cd8436043886ebf6fa2d750248ad4f7f09d197c31db06
-
SHA512
53cfc8537599e81c45112fa9c8f755909ace92abf2d9e619db2623e39154a089679c118937e96458b1ae26b483843d6bcb78ff02a7d1058adc73e637ff542f2e
-
SSDEEP
24576:+KxKiAH280V6GfVDeRz1ZMskLXUD5H98PIyR5yVpGlYs:+K4OV6GfVDe/eu2PzR5yVHs
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
db044599ba62c9a98e024ecd1f465c8f39790d7683b22c64327635e0d2c0b4af
-
Size
332KB
-
MD5
35924c0bb15b01b386378fac7c0aaa08
-
SHA1
dded29dbba3f32350573ad107ffb5b0d7e670b7a
-
SHA256
db044599ba62c9a98e024ecd1f465c8f39790d7683b22c64327635e0d2c0b4af
-
SHA512
d19f2648bbcbea5b132f57b4f832fc96fcacec58cbc1b2cec86354a9ddcb9b6d353082cc725d0a66222c582bda02e77d1ea19f2108ed216d547cc26718a64f91
-
SSDEEP
6144:WC6qcZ/Rjo7JY0n9J493SvUMwEgygh/Z9lkarsK+7iLwAw+dj3hGK0Xp:Wowo7JY0n90XygBXHsBiDj3hz0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
e3c9a1721d8f0eecf6a7e81b32b9823a4952d636d4930a9cdfae0876cf293d3b
-
Size
1.1MB
-
MD5
4c57105730828c98c61e10949fc25950
-
SHA1
b018b8964a21ec971d7a8e3480ce28976012374c
-
SHA256
e3c9a1721d8f0eecf6a7e81b32b9823a4952d636d4930a9cdfae0876cf293d3b
-
SHA512
ead8b5fc20e1a9f2125f2f7338edc844f80415ef768f02753dcdc51140b811ae2fb60f0d77226418a433746a28c81296f1a8b41333eb6b7c59c9f52f82e1f378
-
SSDEEP
24576:8yqOw0U5IPpj5uiUgnhUaO6O/xaGRxr01X:rq50U5gpJUD6lGRp
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
ea47879989afdae64e6a2fd1bdd521ed8a7eee7611d92cfa24311d7f31d22c93
-
Size
316KB
-
MD5
473f819209e2b739e186e49c007b0500
-
SHA1
a0a9d81885ff41dd92727df0edea5f8956d3cc9b
-
SHA256
ea47879989afdae64e6a2fd1bdd521ed8a7eee7611d92cfa24311d7f31d22c93
-
SHA512
54401da33c393750646bd884ec253603b8cfb358b66ac8da6676c06d37d14cbcc89b84656a903bded8b8f3b50e024ebfbb7411635f715c275c7d6c9bafa92a13
-
SSDEEP
6144:KVy+bnr+Bp0yN90QER6vZrMgXGma0+qSNF1lieHpPZ7r:jMrty90XmNRGfNfpt
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1