redline

Resubmissions

21/01/2025, 08:24

250121-ka7wnavmhr 10

12/06/2024, 04:32

240612-e6ft6a1cmr 10

Sharing

Copy URL

Twitter E-mail

General

Target

MultiHack v1.7.zip
Size

3.7MB
Sample

240612-e6ft6a1cmr
MD5

8f23df152d21164e65c9ec0075438092
SHA1

d7da33a9562eff23285b9c3c03663f7d486a8cfd
SHA256

9e5350ebbbe71cde0e195735289355187d11af0ce0b625cb16ded5f0f3b98744
SHA512

c3be73b3d9fd59c4db5155afaa47beb36903fa8c0680f25f1ebd7ffc067aa7b78b9358deba96de95fde1725b2bb10bebd71221dd097a976556dfad9a3b14af0a
SSDEEP

98304:WOMjLhIEsDwTDhjgUqLGEjYOjS6qmRsjOmdYS01jjMT:NMjdIZER+SGsjf0BjC

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@bloodyrain12

147.45.47.93:80

Targets

- Target
  
  MultiHack v1.7.zip
- Size
  
  3.7MB
- MD5
  
  8f23df152d21164e65c9ec0075438092
- SHA1
  
  d7da33a9562eff23285b9c3c03663f7d486a8cfd
- SHA256
  
  9e5350ebbbe71cde0e195735289355187d11af0ce0b625cb16ded5f0f3b98744
- SHA512
  
  c3be73b3d9fd59c4db5155afaa47beb36903fa8c0680f25f1ebd7ffc067aa7b78b9358deba96de95fde1725b2bb10bebd71221dd097a976556dfad9a3b14af0a
- SSDEEP
  
  98304:WOMjLhIEsDwTDhjgUqLGEjYOjS6qmRsjOmdYS01jjMT:NMjdIZER+SGsjf0BjC
Score

1^/10
behavioral1 behavioral2
- Target
  
  MultiHack v1.7/Loader.exe
- Size
  
  613KB
- MD5
  
  eaf135289c47813fb42ca5c8725a318c
- SHA1
  
  b10df8a1ed28477738aa49d13075ae379cee59e4
- SHA256
  
  d32338a207e0c9389388cebeb45abe709e4dc6fe02d0f8267b478fd2cfeb1760
- SHA512
  
  c9288aee9876d006ce998753785982c086382ecbfaecb0f6fca7e445ce0f42efe3375771e0d9211f3dadcf09476c607584c09038dd970c325cc1d314ccc0abed
- SSDEEP
  
  12288:k55CP3Izb3vmJxMtTCGpZo0kidUBHZ2MErqp4tv/D7YmvDeDidYA7j//GrzS3emc:kqPIHmKTCGDoT
Score

10^/10

redline @bloodyrain12 execution infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  MultiHack v1.7/README.txt
- Size
  
  593B
- MD5
  
  56ac5cfa302606d805191effada66a16
- SHA1
  
  0b79424881154ce74ca5b5aeb217cc302425b1fc
- SHA256
  
  6d816df54c5d2be2396257bf3fbe345a10fafe78766e13b727f49e09793d66eb
- SHA512
  
  c28905e539adf0d471d7ac8bfb8bf887f179160c15f41880f55d8b0bd4ecf35238e70fd7f9484371b78c796447a46186210710f33f24360896cc292a76b7c160
Score

1^/10
behavioral5 behavioral6
- Target
  
  MultiHack v1.7/jvm.cfg
- Size
  
  4KB
- MD5
  
  e9da54c707da4e8ab2306b9f7c5f30ae
- SHA1
  
  f229561832df50b9b2bbea74c7234423d9e0a61f
- SHA256
  
  76c6dedcc8f51e80c08b8bead23af8168ffa0de26c57e546cefff2f4cf318bcb
- SHA512
  
  d1be773d908e4eb1cdb34a3d4b9a4b2c179026711893f81cbbbeb0571388f5d44b0ade12c351e4f81439a7afd5dbfe1445d1bdd142c4c31ccf4d1ddb6ad45931
- SSDEEP
  
  96:si28cXGJMpOMRVF4U6Awknpwuwjv3EgYWb8hsqWPMWMrEWBnKvTgWTWekqP3sA7L:pch/K
Score

3^/10
behavioral7 behavioral8
- Target
  
  MultiHack v1.7/scripts/actbusy.txt
- Size
  
  15KB
- MD5
  
  d763b32d55c33aaa35d84b585a53a379
- SHA1
  
  3dc086805ff3c4599e45abd6784280437ac67fea
- SHA256
  
  afd4677654c86372826ac4be0e41c48c33abdbab72a709e1f476c34abc52f82d
- SHA512
  
  1276a7c16d1bf751c8289030bd0a5340758022b77232b785872f86dcd6f2b6c0b7ed77e30904731bc7563ed23c9d44e9a8fa47e6b442942d300dca6f8a97c65c
- SSDEEP
  
  96:sHk6/2MMr2xb+LN1yxaeky2ySutP3dvZ26UCN/OCOgM40kAvpOi3HUbAU/2CxGE/:6V02b+LWx5tP3dvDN/Z5jxGEqxKroe
Score

1^/10
behavioral10 behavioral9
- Target
  
  MultiHack v1.7/scripts/actremap.txt
- Size
  
  4KB
- MD5
  
  f83aee55b22442f691bc778dc8098f63
- SHA1
  
  bd6ddb194c4f8085c1cf7a1319bf9d11c041e7da
- SHA256
  
  c2b67cfac752e75a79cfcfc72443bf7056f7e769489f638963788dd2215c549c
- SHA512
  
  dad3a988fe85414888061c16c78dcbce275161d8898c13e12a10db907037b9ee67e0f17c3e994b201e7b5cea88f474e418332630a8c521b54c79fb72189178c3
- SSDEEP
  
  96:0Ha6jb1v46FeqqJbKPJuZLJBKLJYq9JfJNOAOpqZJLJ1OkOw:b6X1VWJbKPJSJBKLJVJfJNOAOkJLJ1O8
Score

1^/10
behavioral11 behavioral12
- Target
  
  MultiHack v1.7/scripts/audio_options.txt
- Size
  
  4KB
- MD5
  
  d9f440fb788a0c9d29f4e4d1e7a0313a
- SHA1
  
  0f4c2b123b62727c2acf64a3bdd18581d078e000
- SHA256
  
  f379f2f36476831900d165eba21514d0c3fdba1a15c7306bade0c7d4ff44bcd2
- SHA512
  
  5d86a9743d1a630f84b4c932e62e13665a20d43d16709d00e64f4e6f5d35f273436165d0bf239986e27dafcd32eb926e7b3ddde269df3f929ecd6b8117f88dee
- SSDEEP
  
  96:GQ+lBQ+0y+Gqy+Oyy+9y+iy+Ry+Py+2h6y+ky+U:s9yhe
Score

1^/10
behavioral13 behavioral14
- Target
  
  MultiHack v1.7/scripts/bonus_maps_manifest.txt
- Size
  
  43B
- MD5
  
  202c4a9d2d9aca6da3676c9e54b5e2b7
- SHA1
  
  81a2af1ced9353891d9df68b79650c62ce0f03b4
- SHA256
  
  7ceabfaf88ce7a25fb60adff6eef71cd9ab66cb5984c0d2d510318d493b8e61c
- SHA512
  
  8a71d84c64ed0e17ea2b1f99dc7d338ca24db5429594bc128b0c46543b2aa7246ddbdc53f61fd6af6020c801b754f51cf96054f7e8f6cc6a1d6970f247e41c87
Score

1^/10
behavioral15 behavioral16
- Target
  
  MultiHack v1.7/scripts/bugreporter_defaults.txt
- Size
  
  19B
- MD5
  
  ccb652b81adfaba6974e3887b3df800e
- SHA1
  
  c25c4857ff14fb3b73462a3e04b3daa6286c3564
- SHA256
  
  2cb6de377ded7f799694df38f83c446d1fd41e61d6eb6f16008072ebd4933448
- SHA512
  
  0939cf2a1d749bf34ea34a1ea23da0c05e6724b40d00cf7451fbfbf101a69f1a9dc39652a85cd6c3b3dfdbcc580cda83896c16ba50e6fdd8156e8f0ba88af27a
Score

1^/10
behavioral17 behavioral18
- Target
  
  MultiHack v1.7/scripts/chapterbackgrounds.txt
- Size
  
  37B
- MD5
  
  1e81f5e15466f87fcf870f75080612ee
- SHA1
  
  71b506dcd9c01947203cef8ccb7095b97f35dce8
- SHA256
  
  9bbedd3e085bfe5c469a54f732589813ed6af1d05b64f1bf08fcb0fb90c52dc4
- SHA512
  
  c850f84f453c0fa748c929873a1d23f74856b52bcae15cca82577a42f42bb437cd9a59c48a51c0e24544fb29e2968d1f02e534cca76cb3d2a0151fc70ac1b22b
Score

1^/10
behavioral19 behavioral20
- Target
  
  MultiHack v1.7/scripts/clientmenu.txt
- Size
  
  6KB
- MD5
  
  d80932b6bb50903f23b5a4efdcbf41f3
- SHA1
  
  5a4691830d5eade69feb0c94f0d3adbbd56873c5
- SHA256
  
  dd775b8bf839a2be6e8c62be9effde60b6788b980001bf20a5655acfb53e6ac4
- SHA512
  
  4b3dbc0ce19d943ca82dccb06f865caddc81edd223becf13aca503a14e3a7df7982ed2e819414bbf2ae4e60acf599fe9f6c827161bd9773a9da29364131efa55
- SSDEEP
  
  96:h9x0KtKLJoAyxcJx3z0Mb6vlAlilylrcEQw3RQdQCQz3N/3f:LK9oAyxcJx3R6qcE/3Rc3U3Nff
Score

1^/10
behavioral21 behavioral22
- Target
  
  MultiHack v1.7/scripts/controller_options.txt
- Size
  
  6KB
- MD5
  
  a300f751268f4b5245852bbffef58ee3
- SHA1
  
  fa4e46b1bb102f1829718a117178fb276af711c5
- SHA256
  
  828a5fb1b7677e40f6bfbf613e5b6e90cf6a3baf051caa7ffceb64f61ff7754b
- SHA512
  
  68ff02e38a447010b1458dd6fd996090fd2e2b68c2406b1da8c99114c5251803c5cc31e6e0d3f93a3e4f20c73acda0ab7e9d14ade066acb6264b5ecc06017c9a
- SSDEEP
  
  48:bngsJsVvsHa0ysjThsjJy5tM3FDsL5+CFDsL45Qs2L3YsuYMUe/lIPIR1ldt1XFB:8IaXy43FDQJFDL0LIDisxNq2cDtHt3q
Score

1^/10
behavioral23 behavioral24
- Target
  
  MultiHack v1.7/scripts/credits.txt
- Size
  
  8KB
- MD5
  
  983d4bdae61208bec7abc5b3ca90cfa0
- SHA1
  
  bb8ee1e7a573f534296f27c1765e86b2485634ac
- SHA256
  
  0c1a72c59da09f61ff3d3011fa8a798766ac167452c19bd4db092715b9d83ace
- SHA512
  
  8350359855d2d793a26f1b1a80cc4f5cd495875d56f6a2882b014e44d9aa2503447c9f481ab898f978bb68186f0e0894d7475fc5ef4331dd7bc768b5ac69d199
- SSDEEP
  
  96:LJCt8psGFw8NUnBNKYznm7z7yXYWware9jjz9U5UcangO83JQqwSpOhlGLOoZ9aR:0tR/Znm7fy7eX7cagHkOcmV4TFWm
Score

1^/10
behavioral25 behavioral26
- Target
  
  MultiHack v1.7/scripts/damagecutout.txt
- Size
  
  22KB
- MD5
  
  e64857cf92b6565dab38838a2e92ea67
- SHA1
  
  c74ea6e46de465f5f4dc62af831fe83d8d49c6c8
- SHA256
  
  fd31b2f7d9d0fcacf36a14ab0791f3db99d4c6d3474f03301acbefc4543d379c
- SHA512
  
  bd2cc635efa539f6307d83cb6e5960ba214f328e3530ca9e24d63fd9b666f38577d7c2a8eb32668099e9859010ffcf1391a04ee541be66c8be134d9678c9dc9b
- SSDEEP
  
  192:Yg5r9O4uGiNKptEDATB0zdEiA4ZVSLBTolbobpn:Yg6G+ATB0z5AgGBThbpn
Score

1^/10
behavioral27 behavioral28
- Target
  
  MultiHack v1.7/scripts/damagecutout_ceda.txt
- Size
  
  12KB
- MD5
  
  f06651f3af4548e13ca1c6c469cb5ebc
- SHA1
  
  cfeec9e81fa2a404f3ec48b36c62d864ae3245ab
- SHA256
  
  92a628450dc3328ee33e8c7437112587840cf860c526216930df35f0329729a9
- SHA512
  
  5875a20ea0cf9e050fd3db5d209558397310db6c7adfe8457dfd09da9c506c2abbefb7ed902e5d1b347fb37add9e34f770b3416c9f6f12379436662502b722e8
- SSDEEP
  
  96:hQxuG58PpXRXGKJGOpXQ+X5oJ1EpXPyX5oulopXe/O2oespXVSI+V44pX8xx424q:C/5peniDATB6dlEkA4ZLQSBdzrpY
Score

1^/10
behavioral29 behavioral30
- Target
  
  MultiHack v1.7/scripts/damagecutout_female.txt
- Size
  
  22KB
- MD5
  
  7624c8d64a6a5ae9d8bad827a70c637a
- SHA1
  
  0b2418bc25521bc56675a056185c14919de780e4
- SHA256
  
  3db9c42023c211d8d6609256fd618b725d03b01570f61a8e4d295345d2677db8
- SHA512
  
  27ab317f449a40308de3b0e2a55425052d98942e97e3ea1e94ab8ca91eaee41dfa226f02e4166d64a7a67047490ad2a59a8a2da9d64cf0b28a77bef1b99c478e
- SSDEEP
  
  192:fN15CX/5snzvfATBxzuE44Z7KrBTF7BHMX:fNvJTATBxz2g0BT3HM
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32