Overview

overview

10

Static

static

3

13d2ddbb73...3e.exe

windows7-x64

3

13d2ddbb73...3e.exe

windows10-2004-x64

10

248f6a88e2...75.exe

windows7-x64

3

248f6a88e2...75.exe

windows10-2004-x64

10

3b3c25930d...c3.exe

windows10-2004-x64

10

5d4ab7321b...b1.exe

windows7-x64

3

5d4ab7321b...b1.exe

windows10-2004-x64

10

64a91313eb...f3.exe

windows10-2004-x64

10

78583cb35f...80.exe

windows10-2004-x64

10

7adf4e4d30...3b.exe

windows7-x64

3

7adf4e4d30...3b.exe

windows10-2004-x64

10

7eeb7d5105...82.exe

windows10-2004-x64

10

85963051ec...13.exe

windows10-2004-x64

89b66df995...26.exe

windows7-x64

3

89b66df995...26.exe

windows10-2004-x64

10

8a339b5ec9...a4.exe

windows10-2004-x64

10

948537d542...e0.exe

windows7-x64

3

948537d542...e0.exe

windows10-2004-x64

10

9aaa505382...5d.exe

windows10-2004-x64

10

a1fa8776d2...ff.exe

windows10-2004-x64

10

a4673ac7aa...63.exe

windows7-x64

3

a4673ac7aa...63.exe

windows10-2004-x64

10

a6784f4b55...a5.exe

windows10-2004-x64

10

c81bc7831e...44.exe

windows10-2004-x64

10

db203dc135...0c.exe

windows7-x64

3

db203dc135...0c.exe

windows10-2004-x64

10

efd353ed4e...ec.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red2.zip

  • Size

    51.1MB

  • Sample

    240513-njpm8acc3w

  • MD5

    529a16a8f3eb780058ce4c4d88d761bc

  • SHA1

    06d60d475dc5b906a48bf6fc44a8b21451cebac9

  • SHA256

    4de1124a0c0b201907321b44ffbad15b2e2e9ad38b6ae1a833ce56f145c5c177

  • SHA512

    b70f1502c68b14085c6b16a86da4b49213d4aa5a3e34a576cb3c2a5028e0512ece411869ac11254ed4c65f6d17ffc679a4a754492cf1d02bc42b2264dd1f8562

  • SSDEEP

    1572864:QgJol5kjVEtpaxs2kwji1p/y+9aORAUo50q:5Jol5knkUi1pnFRMf

Score
10/10
lummaredlinesectopratzgrat5345987420@txtheaddebrologsdiller cloud (tg: @logsdillabot)mixadiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.77:6541

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Extracted

Family

lumma

C2

https://glossydecentjuskwos.shop/api

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

https://smallelementyjdui.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

@txthead

C2

94.156.8.193:34427

Targets

    • Target

      13d2ddbb73b782f7ef9b539d9c2f99d04cc83536205cbdf01fcfdbda6273b93e

    • Size

      368KB

    • MD5

      746626f9ca37c0be50e5db93f8b7fcb8

    • SHA1

      0f875a14736c0015171fe52972153811fb8ecec0

    • SHA256

      13d2ddbb73b782f7ef9b539d9c2f99d04cc83536205cbdf01fcfdbda6273b93e

    • SHA512

      387ad2824cde3c7dc13e20f733008cf649ad3abe258f99c9588d868766529f6492f500ce729a9e09124459407f06d6d8c307056d45083b2714c7624c0e244d5f

    • SSDEEP

      6144:ByG9AjZTJ9Ja1HDoXU9qLShgFwflhqXvbyj3Eso75XV+kUyespx:gQA/9oiXU9qLSzf6TyjUl5XVqspx

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      248f6a88e25b649d9173c39e07ca411784d808570bec48e3d3681ea589460f75

    • Size

      1.2MB

    • MD5

      76d0db94f2de91ec32a48bd8842e5824

    • SHA1

      c616e4bf2e1effcfc7879c579a318aaa2b4aea1a

    • SHA256

      248f6a88e25b649d9173c39e07ca411784d808570bec48e3d3681ea589460f75

    • SHA512

      afe4a7380fec186f1e76bfbcc958ae8acb9ae7385020031da2e582f00630485965d7511106137edd0341752c46a8460516ddf20dc17e74e8567e3c3e87aa90d1

    • SSDEEP

      24576:DUvYi5Av55llkyRdjU3AK1Msaw1jDcgvlbipgKGs:DUwpllkyRdjULf39bVKGs

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      3b3c25930d8e5239354b72caa7636c9cd244db255f2dbdad867a4095441c91c3

    • Size

      488KB

    • MD5

      7708f942fc03661888b12d848e63be86

    • SHA1

      ce37a96ff8c2a103828b904568a181ffaaf53341

    • SHA256

      3b3c25930d8e5239354b72caa7636c9cd244db255f2dbdad867a4095441c91c3

    • SHA512

      3bd43a4bc4ce233e3c28563c222c3443ecf2d81cd229669addcafaf24d6d5115e73db80f8030169bcbc3980f043030df354adbf43d28532d82bfe187e0df78bf

    • SSDEEP

      12288:VMr8y90FONVwfOLFGj67nSaJejITycHNb85:9y7N2yFTS+t45

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      5d4ab7321bf7b95b30cc71760a54f2de7172103b782fbdbcabcc012561d0f7b1

    • Size

      1.2MB

    • MD5

      a0be480c4ef34ac1cdfa505cd1706199

    • SHA1

      751cb6f383f848e19ea27b79c8b16eb6715b0194

    • SHA256

      5d4ab7321bf7b95b30cc71760a54f2de7172103b782fbdbcabcc012561d0f7b1

    • SHA512

      70db894f5b1a17e323fa5459bc3a69cea2dab37e12d4e0963ba89bb37e25bf4928a177eeaec1a71fc9937a20aabddbad0ac60f505d11cdbdfa9a9a9cc413064b

    • SSDEEP

      24576:n843izBgywllmrXX0SRD4Ms0sZYeDBqFnKKm1+KiO6fs:n8udllmrXX0auGTKKFNnfs

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral6behavioral7

    • Target

      64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3

    • Size

      769KB

    • MD5

      9bf6b90455cdafbc4f730e0d36e6f2f3

    • SHA1

      1280c19116ee65594582d39b5f35693e843eb3cd

    • SHA256

      64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3

    • SHA512

      aa93787490febd0e91e0a64a3b04d825fcf474833e9199df6029a1ec9b7ad6b00b15cce125b70e3c89c6a09ed03a549e0abef07baebd82331d19afa5b003cfeb

    • SSDEEP

      12288:BMrKy90IjoIdwRsoHBc9xklpmHUpBjdJ7pT2cDoLX3Ehmg/3acxtJxJ0:Ly0IdwPhcM3P5drMLcFJ0

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      78583cb35ffed4865b6cde068216b6ee82dff5cb11522d6b1b2e33d713a21f80

    • Size

      488KB

    • MD5

      705a640fbe0831c4df98f36b96fa7f7f

    • SHA1

      3e7548269fea8c5cd47a2dc7eede86bf6fc3861b

    • SHA256

      78583cb35ffed4865b6cde068216b6ee82dff5cb11522d6b1b2e33d713a21f80

    • SHA512

      fdadb8631446c42490f5f0c558280a37cc50cbbe83011db0804ba09bf5fc63446fd40e258b4fcb43367b271a58ac45fc31a3057a9ee3a5a711b5c3cf68b7402a

    • SSDEEP

      12288:3MrZy90bPdtqjfuFm97VYglxzKlO+4aTfVoF:Cy86jGw9ht+4aze

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      7adf4e4d30d94f50091e644399565b03649ebda511d61b6156728120df42193b

    • Size

      1.2MB

    • MD5

      753182443978a73ad9e3c1133a2f33f9

    • SHA1

      5af5ffed81bbc6d32f1f0fe8a70c8dcf22546757

    • SHA256

      7adf4e4d30d94f50091e644399565b03649ebda511d61b6156728120df42193b

    • SHA512

      970063df51e3f924b36154c3815161905f6ebde72fe091b933bad519919071a2f63517ad70f8e6edda51460a38377034b3180e4cb0870fa8641d90ea14070b7c

    • SSDEEP

      24576:FzRqiJH28+VpdGfVDeJhWoMsGrBsDEi9HXCEnauYs:FzMfVpdGfVDeu/4HXZnGs

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      7eeb7d5105714891b20ada945a47c8b1144bfe9a5bfd2e9d3e958da52b062182

    • Size

      316KB

    • MD5

      762643b7b23b38b8b69a3f2016aea5eb

    • SHA1

      b58e4ec7860169d3cb0ae8e7ce32b0752e87ac73

    • SHA256

      7eeb7d5105714891b20ada945a47c8b1144bfe9a5bfd2e9d3e958da52b062182

    • SHA512

      bdf4929acfe47489174b9d773faeca50b61699db844a614f3e6636f1f307bc576d771c45a8a64d8de2887d66b50cbffede9bcc761c5f001a20cc8b3973bcd7c4

    • SSDEEP

      6144:KZy+bnr+Op0yN90QE16vZrMgXGma0+qSNF1lioHpoZM4:vMrKy90vmNRGfN9pC

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      85963051ece1830904f1352feb417a21d0483c9ef3735855d49b257c6278df13

    • Size

      43.5MB

    • MD5

      9de6a6858482f7b8c82bd861ea974e09

    • SHA1

      772ce6a04f3afed268695f26136337a772c76017

    • SHA256

      85963051ece1830904f1352feb417a21d0483c9ef3735855d49b257c6278df13

    • SHA512

      fd11b2455361204a9cf9d046acc2b379989e11f7b06f0add808bc2219b104ff10b772d708ab64752efbf894c281c486509d8421edebfa8c3be608e02eb8f2c77

    • SSDEEP

      786432:CVTtG42LQOiWTx/iNFcFXBHx+rEpTyfgcRMQS7bYC/vswAdlk1MUOH:CPGFM0RwcFXBHx+wgGV4ydAdxUO

    Score
    1/10
    behavioral13

    • Target

      89b66df995df06c4b63c0874921e1da7192ea6c4fb2f7e991fb3bb68c2c25e26

    • Size

      1.2MB

    • MD5

      7caf50a3baa69d9891d00ba7e9e8d797

    • SHA1

      c467f50668d787d5757650b317117a8528d5bc57

    • SHA256

      89b66df995df06c4b63c0874921e1da7192ea6c4fb2f7e991fb3bb68c2c25e26

    • SHA512

      8a16e971dab4003c03ccff6b0ec45ada152f3fc7a73fb6252889a3e08b223c22a7c7cd06c7ed5c14880300bb10f57a5f135a3baa0bd37bd7a6f23cc4f03f2513

    • SSDEEP

      24576:FJXyijJIK8li6v93OhJjuMsYqRwDaoGlcXqua/7PVNs:FJixli6v93OrecGlcXW7P7s

    Score
    10/10
    redlinelogsdiller cloud (tg: @logsdillabot)discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral14behavioral15

    • Target

      8a339b5ec96af2011a66dc18e1650f9ce31815b69c4d565ca266ff41e286a1a4

    • Size

      316KB

    • MD5

      78e75d662eb480ae035fe13c8528db74

    • SHA1

      2140c40713fe3ec0087adb8c1d633745b4e9b6e9

    • SHA256

      8a339b5ec96af2011a66dc18e1650f9ce31815b69c4d565ca266ff41e286a1a4

    • SHA512

      f93c9c6374695c4b0fefa1ec91efe078ee2f765613f2e0621acd73947e795b702e76f8bc71cde3a31bb3caa5822aa5a338327255c60da9e93448cc6e1e284597

    • SSDEEP

      6144:K3y+bnr+pp0yN90QEn6vZrMgX3eYK41E8OBURKaJWKk:ZMrpy90BmN3rKWOmEa4Kk

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      948537d5425794f4ef3525416441d129812ac5d9ef9b35f1eacccf6948e60fe0

    • Size

      1.2MB

    • MD5

      7bb8925188c2ce5686dfe17e2e05debc

    • SHA1

      b27147eec22e7fc0fda02f19b7ef5d1721e459c2

    • SHA256

      948537d5425794f4ef3525416441d129812ac5d9ef9b35f1eacccf6948e60fe0

    • SHA512

      a7938223aaa77f644bbf090b30cf57b66ada5023bd2d191d9890fb1703ba9ac444858f26614df0941828e3d47ffcd97e4915ff3f2873c3d74f1e8298ba35d524

    • SSDEEP

      24576:kMrDSiyJIK8luK3932JQ9bMsYpZSDsMxwf5GniLWcs:kMiCluK3932m65pAn1cs

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      9aaa50538204ad8ed2bed10632de494067e88887268d3beeb1f68815b03b325d

    • Size

      488KB

    • MD5

      c96325df97a2d3f9b536a1e4e1bc112c

    • SHA1

      a6cf2f4b20afbc1f88f0c0958bdb851e622ff516

    • SHA256

      9aaa50538204ad8ed2bed10632de494067e88887268d3beeb1f68815b03b325d

    • SHA512

      c91808e60061956ba8c53eb4b6d3e0e1dbf4684421df60e96507a2562ae5c017f6340ec47c1c0ab53e92ae73a704b3ac63a7bcfbcdd567c93501b13642f106ad

    • SSDEEP

      12288:lMrAy90pNuoRidcQyGSw75zKlOMkalTgmORsL:Nyi3161MkalTgDmL

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      a1fa8776d2234540b4b06a6175a58b01a25370868f808e796d7bcbfdfeacebff

    • Size

      316KB

    • MD5

      78c5fed6720bb71a532cfc30f99a1ae3

    • SHA1

      de307b619e6e40f9ebea86a79fd3af1b6d8f02d3

    • SHA256

      a1fa8776d2234540b4b06a6175a58b01a25370868f808e796d7bcbfdfeacebff

    • SHA512

      34cff8dac371277878e88971060be5df1ab7c51fa829f91ba09dba1f5e8dc119b466aba95586fd25d589f61c054f6d434a8b09176006a6a6e3e4257c70dcc5ce

    • SSDEEP

      6144:Kyy+bnr+Bp0yN90QEo6vZrMgXGma0+qSNF1liCHpDZ7E:GMrVy90SmNRGfNLpe

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      a4673ac7aa51c8f5ddda3a7edbf21cc12faacbdd4a054ee01df67f27a5332b63

    • Size

      332KB

    • MD5

      730c825ae8e2c429cba254b5e32680b7

    • SHA1

      0d46cf88949e563c39cc54cca39f3d531a4c490d

    • SHA256

      a4673ac7aa51c8f5ddda3a7edbf21cc12faacbdd4a054ee01df67f27a5332b63

    • SHA512

      d793da8e047dbacfe18beec057a979f27324cf01d9a68b3dc3c7271beb3311d1f630e0b06403cfe641ea9e39c65f6178e77aaf0326efaf6aaa0b57755d2c2aa2

    • SSDEEP

      6144:61xw5f7Qjiz+osPz6Z520DbS1RcyghaS41temlVy5ZUOA8sb2DvvK+0Xp:6fZjs+osPz1YygYSWteCYZUOA/2H0Xp

    Score
    10/10
    redline5345987420discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      a6784f4b550acc54cc3376066858e706933e32e7c275b9b79acf346dc3cd3da5

    • Size

      488KB

    • MD5

      7a5c3e1e5f4b6babd35faf0480dd409f

    • SHA1

      7870f67f3efce145f0e49b4d85b99bea3a7a6283

    • SHA256

      a6784f4b550acc54cc3376066858e706933e32e7c275b9b79acf346dc3cd3da5

    • SHA512

      b46eb02d9a71a09e28e75f084c2536d8a895d0571097a6477fa8be6a34594a8af12cb2de597dad38a3a5023abbae51226644bbebf541ef0f246079e982421806

    • SSDEEP

      12288:9MrOy90vu/z2ejeR85fhKj5bKRzXN+CZz+xQ7Xjbs:nyvfeSHKN+xd+G+SU

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23

    • Target

      c81bc7831eb8bf73d67379be4d3b03944fc18873944de10d1e02f9de54dfcc44

    • Size

      316KB

    • MD5

      7a2b8d9dbb08338b078c2270b66010c0

    • SHA1

      c15580da05915a08bf6065adbeacbaf3dc0da348

    • SHA256

      c81bc7831eb8bf73d67379be4d3b03944fc18873944de10d1e02f9de54dfcc44

    • SHA512

      33cc67f35e3da6b7cab3f2e4af72134c49c953ceb7b520628a3b219bcdd42d9ed865ad486d045364d201d33ff49caa6758ac67bb1c895e09a3615b7d9da99946

    • SSDEEP

      6144:Kmy+bnr+Vp0yN90QE+6vZrMgXGma0+qSNF1liDHpgZ7A:mMr5y900mNRGfNmph

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      db203dc135d244a9cc17433853b7a56001547d4cad091ced993ce64e9ba1250c

    • Size

      1004KB

    • MD5

      9de1ede890852d25d1a9a37561c85881

    • SHA1

      823df077b48e0fc84a398a3081037e29ae9e636c

    • SHA256

      db203dc135d244a9cc17433853b7a56001547d4cad091ced993ce64e9ba1250c

    • SHA512

      c416064da1ef2048a0940bba408d41c5c79ab2514f078ff7ba7b6d72c01fe8fb43ed703aacaa4378e0c4670a5f325d8b8a78cf5c0f8756ebbe78295ea8049a34

    • SSDEEP

      24576:L+KwiEu1zBt9qQ9fzrNXZMsCunBDwrqGYErtVs/t:L+/gt9qQ9fzFNie1es1

    Score
    10/10
    redlinesectoprat@txtheaddiscoveryinfostealerratspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      efd353ed4e0d760b81c28296fd5aa7a67776e8b003d5edc1e7479f6efd721dec

    • Size

      316KB

    • MD5

      7498fd1b89e795947980b4d0a33ef463

    • SHA1

      3cc3c3d98acade1fcc157c8913b1b8e673618c8d

    • SHA256

      efd353ed4e0d760b81c28296fd5aa7a67776e8b003d5edc1e7479f6efd721dec

    • SHA512

      15442f85723457e867531e5dd3b47273d9cb5a7d83402d95f9cba7088e8ee3b155f4b95f510b316ab1497a620cfa6ff1d1c5fc123b5a1743bb78d0b621e55312

    • SSDEEP

      6144:KRy+bnr+9p0yN90QE36vZrMgX3eYK41E8OBURKaJ8:7Mrdy90NmN3rKWOmEaa

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral27

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral3

Score
3/10

behavioral4

lummastealer
Score
10/10

behavioral5

redlinedebroinfostealerpersistence
Score
10/10

behavioral6

Score
3/10

behavioral7

lummastealer
Score
10/10

behavioral8

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

Score
3/10

behavioral11

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral12

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
3/10

behavioral15

redlinelogsdiller cloud (tg: @logsdillabot)discoveryinfostealerspywarestealer
Score
10/10

behavioral16

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

Score
3/10

behavioral18

lummastealer
Score
10/10

behavioral19

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

Score
3/10

behavioral22

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral23

redlinedebroinfostealerpersistence
Score
10/10

behavioral24

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

Score
3/10

behavioral26

redlinesectoprat@txtheaddiscoveryinfostealerratspywarestealertrojan
Score
10/10

behavioral27

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10