redline | 672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a | Triage

Sharing

Copy URL Twitter E-mail

General

Target

672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
Size

1.7MB
Sample

240604-shq7wabf77
MD5

e8a7d0c6dedce0d4a403908a29273d43
SHA1

8289c35dabaee32f61c74de6a4e8308dc98eb075
SHA256

672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
SHA512

c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770
SSDEEP

24576:uVKlwZW7rdhSklldluAi8XBBv3b1bNtFPEh8OyPe+ZkGRACQX48n9pJSQ2KxLqYV:LlwZEDSWercBvB7xEdr2dRqucwcr

Score

10^/10

redline @logscloudyt_bot discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

C2

185.172.128.33:8970

Targets

- Target
  
  672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
- Size
  
  1.7MB
- MD5
  
  e8a7d0c6dedce0d4a403908a29273d43
- SHA1
  
  8289c35dabaee32f61c74de6a4e8308dc98eb075
- SHA256
  
  672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
- SHA512
  
  c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770
- SSDEEP
  
  24576:uVKlwZW7rdhSklldluAi8XBBv3b1bNtFPEh8OyPe+ZkGRACQX48n9pJSQ2KxLqYV:LlwZEDSWercBvB7xEdr2dRqucwcr
Score

10^/10

redline @logscloudyt_bot discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redline@logscloudyt_botdiscoveryinfostealerspywarestealer

behavioral2

redline@logscloudyt_botdiscoveryinfostealerspywarestealer