redline

General

Target

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
Size

12.5MB
Sample

240701-bgvp8svclp
MD5

3ba515e7df4c8918a967f4043cd8c72b
SHA1

3659a765f502297fb92a9d14b08e5b8d91bc8603
SHA256

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482
SHA512

010d639a231724425e791afccc7fabacd9b20269665706434c28eba6192af5b424a792755ff1503c0e0afcdd05c5b470d59f57f706f843157c42212e0bb40d8c
SSDEEP

393216:Y9XWBQ/bXZmSUGkVAqYwm9MlpcghwvWLT0Z:Y9GBmZkVAqYweMbIWfo

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

MergedALL

C2

51.195.206.227:38719

Extracted

Family

redline

Botnet

telegramone

C2

163.5.160.27:51523

Targets

- Target
  
  5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
- Size
  
  12.5MB
- MD5
  
  3ba515e7df4c8918a967f4043cd8c72b
- SHA1
  
  3659a765f502297fb92a9d14b08e5b8d91bc8603
- SHA256
  
  5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482
- SHA512
  
  010d639a231724425e791afccc7fabacd9b20269665706434c28eba6192af5b424a792755ff1503c0e0afcdd05c5b470d59f57f706f843157c42212e0bb40d8c
- SSDEEP
  
  393216:Y9XWBQ/bXZmSUGkVAqYwm9MlpcghwvWLT0Z:Y9GBmZkVAqYweMbIWfo
Score

10^/10

redline sectoprat xmrig mergedall telegramone evasion execution infostealer miner persistence pyinstaller rat trojan upx discovery spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2