redline

Sharing

Copy URL

Twitter E-mail

General

Target

99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.zip
Size

5.8MB
Sample

240704-rdtxjazdpa
MD5

d10226a25b06feb780fedb5601c577b0
SHA1

cdc543c1458fe300f08b33c61dfeacd399a34f84
SHA256

3b6de93762563ae0095769cbf32661c50bfa332fbdda305650349a70f8245ad8
SHA512

d5f756850b29289e8d2fdd08374828abeaa1951527967828f3c201556bbe2835f1feda39418f9792577e7b4699a80bca7f63961ef273546fb8a5dc6e476f74c3
SSDEEP

98304:7GLuGMMLaAYtmC2ULVX6eJGF/pm+gOAI/A2D5A8pR5bqcotMzYbqHx1uJDcL:78uTeTimuNJGFxm+7Eu283dqcotoYefl

Score

10^/10

Malware Config

Extracted

Family

redline

185.29.9.108:15135

Targets

- Target
  
  99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe
- Size
  
  2.5MB
- MD5
  
  4d7e397e97d759700ff3d0f2ed5e7192
- SHA1
  
  b59053909d84ed942c864a683888701ede42caed
- SHA256
  
  b4d3bc33f79cea60a3908517408f24d9937a9a3416e36526a1465e7bf91d5f34
- SHA512
  
  70258a68abaec07393127b696b1959cb743429b002a378661fd86eb6d6e46b62ee5254097d2bd113ac751191c5099088bd332d3934a5d76531326e256a092966
- SSDEEP
  
  49152:Iqgyd/DgXBgnqPi3W0EfLckEjO+EER8Jbn:KKAIs9
Score

10^/10

redline discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  AMMonitoringProvider.dll
- Size
  
  204KB
- MD5
  
  f2ae2445ac7eca1ee8480321b03241fa
- SHA1
  
  21ab4051f98e1c1e1b4f415b5a8f0589a02137b1
- SHA256
  
  8da3d256ef7df249138d8e934fbd74fda8f31c5b5758f26a757f2c686e1debdf
- SHA512
  
  6cde8462b6f63d881d74f40f7eb7336b9c86d0375e883b8665808c5e07818d9224c72597f63fc283c7e3e82d02fa6a5def17518ddd8fd0a23a4555af3ede88df
- SSDEEP
  
  3072:PCUZghW+1ao8vg/i/Tp5Co0hTgk0sXMvmcJNa+BTKTeehWKx3UjpoYfAdK+:PVZgh91h8npohmvtaMuU5s
Score

1^/10
behavioral2
- Target
  
  EppManifest.dll
- Size
  
  1.0MB
- MD5
  
  e1414283b5fb25e3a0aa034104e187d3
- SHA1
  
  ca6b4f68ee7a0b17072962f9d93bb10ecfb3a46f
- SHA256
  
  5768486507ce07e7c387e409714244fe2a96b33d1666d24825aa181ac3cef5bc
- SHA512
  
  ca79757602b50d82790e8583187e4a18b8a1b9e81a4ad4f1233e0cadab3fe8ca874cb1bef267953ab5a0b82f0df8392a10dab68129249af9a210068e384f8717
- SSDEEP
  
  6144:qmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJ2:4/6qa37L5
Score

1^/10
behavioral3
- Target
  
  ImagingBase.dll
- Size
  
  297KB
- MD5
  
  43b9aaf757a696c0ee6b290d5b59fead
- SHA1
  
  16efb77b11c2428db1ac81c66e380c15709fdd1a
- SHA256
  
  a7a13121b449d82ab4aa13dd35e68da7fc8d2a69311644c21b19bc2ccf56a0c9
- SHA512
  
  e623dbfacb39634f791bad3b2f400aa56c13b0a4fe0d4d91d510a071db62d5e7ff721cf5ee53587526a541e9f4c0f3b208e568ae7a506a2985fcc7beea6dacdb
- SSDEEP
  
  6144:Ut0ghg4SiMua1l/hMkaq8Srb201zA4rtfPj9Of2yLYsofsFq7Ujsv:Ut0G5ab8SrCY14f2yLYsnFq7vv
Score

1^/10
behavioral4 behavioral5
- Target
  
  MpAsDesc.dll
- Size
  
  204KB
- MD5
  
  ba2b29557ff5f4f3a7a55306d25b8d2b
- SHA1
  
  ca5dd5da467c755daa8be068397936c8de41057d
- SHA256
  
  5bf78317f21a79e0e6d48d68c30532888a7f5b3b629ef240733befff3619e9a2
- SHA512
  
  00b643281b0b49113fc6aa7ff1d234089c184a4080213065d96a13e39fedfc6f066d313469726d373a8c962e730a264226cd682d41f03a2e0ca15e8eb4f5d30e
- SSDEEP
  
  6144:vmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJ/:Nf
Score

1^/10
behavioral6
- Target
  
  MpAzSubmit.dll
- Size
  
  1.3MB
- MD5
  
  29fc71aa129a9497803a61161004aa61
- SHA1
  
  caff58ec07fbbd4dfd1140c79d25f83b99e04943
- SHA256
  
  f3b280576feb4afbcbde840007aa7be5ebce5e152256a65969d465f52b5a774e
- SHA512
  
  dbe6f35ca7ef6cae6aad5dd4599ed60798dc30ae7bf7540acba0ca470cc046b059b7bd1e697b7676eaace7cce2ddf15b7207a60d62e81d3e60de498c78af9d12
- SSDEEP
  
  24576:4nrdWCSqDgk/2SQXyWZTfKC6WQogiGCRku1kHfHdSHlTOaV:4nrdWCdDD25XyWZTfKC6WfTGCRH8VSN
Score

1^/10
behavioral7
- Target
  
  MpClient.dll
- Size
  
  1.9MB
- MD5
  
  978dd357e63cf2172cbaabd9a924926d
- SHA1
  
  f790d1c26e541e7a6f61c23428dbaed229180df2
- SHA256
  
  8124b90ecca30c18cb51d8fa5d540192035d8591cece109624f9bdb80d90117a
- SHA512
  
  76ad677e566f16fe163fe730a4796c943fcf5bcdf16e489231a3c424ef6485fbcb103a334dc9c35f10905cbee8d7851fa26de70d719bc06c12053c6d7579db7c
- SSDEEP
  
  49152:lcP2wX5eR8DAlfSOSwHvWCdL+4JT6Vqq1Lft:w8a
Score

10^/10

redline infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral8 behavioral9
- Target
  
  MpCommu.dll
- Size
  
  332KB
- MD5
  
  5fb1ac615c3c72df4dec02a64b7fd379
- SHA1
  
  f1491c11f9b793f758fdcd613a5e28b725f2d06a
- SHA256
  
  ca77dd6e870173ab419d43e56fb4446c6cf4493707287864049ce8b5e951ddec
- SHA512
  
  c227c1f91dd8105e7bb6b52365199251438a3f85df20d513c2956455b607d3e10fd5e7d5c8cd7cc01a4bb24cf6a240c28e5ef0c8ae6fc0f42970a1c9efe82973
- SSDEEP
  
  6144:AOpiJ7wnqa2EwPCaIAjB+9e20RG1yMuYLg4Ly:CJc2geH2r1xuey
Score

1^/10
behavioral10
- Target
  
  MpDetours.dll
- Size
  
  144KB
- MD5
  
  f574acdcb210e1f8bbc4733d3af82d6f
- SHA1
  
  378ac1d79194a8d7e9936a595bd9db2adadeb268
- SHA256
  
  af54dac2f73f6fb212b5dcacfac67b531cf0b79fc1e2fa6b82c5b895d892ec9f
- SHA512
  
  619b5ec15e3a310013405318ce61caa7cac94fcffa546e16069b59a22dff5261fb7d153c7e6e98976cc3ce04b55b54afa3ad2e9eef5e41660454ddb4aafc8978
- SSDEEP
  
  1536:Lzg3khUUc4YEaW4D50FyMPwL08Tnd9A+DkLkI44PWwmTZ5JmofbHPl:Lc3WqVW4d0FyMPwL02dxBZlNHmofLN
Score

1^/10
behavioral11
- Target
  
  MpDetoursCopyAccelerator.dll
- Size
  
  96KB
- MD5
  
  40a4995ae0098699dd471f992b4b4258
- SHA1
  
  d5e081ba5351b4cd19868f2cfd6962ee8f6aac10
- SHA256
  
  d85e1d836fb03807fece7c5868e206657e909762e3800d164dfbe90113495710
- SHA512
  
  185c225d7936c336d4a80c02d4d68045a1c942e7ed29dbc0f6b13ff9e52b845a80dfe25242dd1b91e62f4fd246093dd61563a8e8dfe0ad9fda3f3943415d7826
- SSDEEP
  
  768:hNzheLdkDvic8/sNEOBtDi187q7ZsH8P2o4wp1tYjeVmQqiKaMSve2kN38cU+ZwE:okqcE22/7ZDe8p/YjoIh2kNdZU5HPY
Score

1^/10
behavioral12
- Target
  
  MpEvMsg.dll
- Size
  
  140KB
- MD5
  
  9df51191844f79c00ad90076934496f8
- SHA1
  
  87f560d1686d58403b9fe6887eaf50b502d41727
- SHA256
  
  147e36a2c7b205cda744d7f7f7da17b9b60b26a4a62426fc169f82fd2687aca0
- SHA512
  
  9c5acb22c545e47c391cb3701c56ffd6f1729788fddde88cc42b8f622190ff79d154a2ebd4436d5be1acbe8c1c60fe96021e68a0c3e95465dd7831d290112eaa
- SSDEEP
  
  1536:OpD0UQih10Z/gnPH8iydExI6SqiyiS+2Jl5BBwugb81qz+4JbcMKPOVN:Od0UQJyQ
Score

1^/10
behavioral13
- Target
  
  MpOAV.dll
- Size
  
  484KB
- MD5
  
  394c2ecad239aa887188a7c8fdfc44b8
- SHA1
  
  0cc4f07cd5c2989efcd35f730a3690f9d1540a73
- SHA256
  
  f79c12abba8c5850906cb4d69a5b7f274786a7a4f6dcd94740c37fdf7fe0f290
- SHA512
  
  04171b4706d9ef3956635ed2d80ddacfef4e0396573af0da56b614dc821b2f5bf4ace94c26f1151636ee3732dbccba9a8d46fe6349950a4fe05c482494b1b636
- SSDEEP
  
  6144:uzNxZHzwalKMy0kdi2b5zQTubTU1LhqJULrin5CJVA/miTVVmVVV8VVNVVVcVVVi:uZxekAbhQTMU1tqJULraeA9N
Score

1^/10
behavioral14
- Target
  
  MpProvider.dll
- Size
  
  196KB
- MD5
  
  497fddc79f3c2ccbc65ede5cdb35f9b2
- SHA1
  
  1c2c2b6890ef6d94b29541d6a7bb5462164680b9
- SHA256
  
  3c5f90cda4b1cb8d12639385eaacc69aa96ae87b6fe257e30462dce558f1ae9a
- SHA512
  
  887d48d85f65ca9e4ebff6507bef4cc85016f5f26876948491bbbdc8ba46a991b56b9e610a12dc9f4ec3de56af186d6bf390ab786aef79d28a1f59cb63353902
- SSDEEP
  
  3072:que5tMF2FF41ZzjFwDB8XRf2oCSoqGoVQqya+TQMKTecepGimhkpTUNucix:que5Q2FFiFUBeoSxiHadimhmyQ
Score

1^/10
behavioral15
- Target
  
  MpRtp.dll
- Size
  
  1.3MB
- MD5
  
  b09a6e712989c71682b0b1593e4321e5
- SHA1
  
  526221185dfe858ffc50df59c102c53285732296
- SHA256
  
  ceef3fa431feef63744a02f292e8435bfb9d02653ff5ca1e4e397a8eda9b8c25
- SHA512
  
  c70ce87e5825fc0bf5462f2eca3bedb5b7c4af7806eeb87d69fcd510411cb8c84ecdf9efb1db0d7593dc14599a4fc3fe6a49aece821139bf08e753bc57f109da
- SSDEEP
  
  24576:p6sXqIv70PO2EU9aGvjPVHjIjrcWLOUpJtdcb1iehP:Ms6Iv7CE30LVHjIjwWiWJtdcb1iehP
Score

1^/10
behavioral16
- Target
  
  MpSvc.dll
- Size
  
  2.6MB
- MD5
  
  86449a4a33d1e34d66e146d53e72fc3c
- SHA1
  
  b8ed197af58656c6d2882e23aeccb08b1b214649
- SHA256
  
  2e85cc2a6f6ddf3d42fc258a8a9f3bcdbf46716b3c1bed09fda7242de1b245c2
- SHA512
  
  40ed419a70940aec9b8c4538ca9ed6bdbea6a2fde5f2d07777fba39c0566042ba5a0a37671331b832d83d88fa30e1a1034dd9355fd36e1a493dda20d797ebb2c
- SSDEEP
  
  49152:ttOlyJu7/mLqqrrMmgGSUaUrhqgs2078QqLQaQRGcUeGvflwcN:brJjFM81P+c3N
Score

1^/10
behavioral17
- Target
  
  MsMpCom.dll
- Size
  
  104KB
- MD5
  
  a27e3c773d4800429a39263dbe98e24d
- SHA1
  
  9f22ad93234749124b2fa5ac331ef4bb7662256d
- SHA256
  
  e96f24e730197d66ddb3f8a2f54a121523160187beb1bbccb5883ffe4b19fa0f
- SHA512
  
  94c24ca6e509a1df002cb93c5bf156d75e30d62ff9db0b570559f674e07d8b995fab622ce6ab057ac059030a3f53153e8205408924c31a6711af4d5a29e6cff4
- SSDEEP
  
  1536:NgzKUT0gEuOIv/5z1CWiRyPY1QYiYq8dJsqfVNt+QhKTeuq4lMYe7Pg:4Km0g8IgJQhYqG7fVNt+QKTeuq4lMYOY
Score

1^/10
behavioral18
- Target
  
  MsMpLics.dll
- Size
  
  20KB
- MD5
  
  c1fe13a9fbd581d6acf72afe3264fb3c
- SHA1
  
  fc4f46a421bc2574876bdd9a5134b9a0973a05ba
- SHA256
  
  8135ee0b4e92fe29dc07884079e7bf2300982b690f80ef7698eef33e8d694c78
- SHA512
  
  6d90169e2d74ddc3a4a196a8844e314aaf77799af4d83356171a4095fc3f97838359e7b5559df9e7ae2a780b115bec2c957adbb994fe5bd1fd8ade8cf858c40d
- SSDEEP
  
  192:cWgbHWQALc2Fu462TNvxjB1RDBQABJ3KNjpC52qnajOYa:cWgbHWQ1MJLRDBRJ0NliF
Score

1^/10
behavioral19
- Target
  
  ProtectionManagement.dll
- Size
  
  708KB
- MD5
  
  dae4004e0a642f88be3029dc4fe3b1ff
- SHA1
  
  dae88a84f80247b0e6a952c3d5696b28916d259a
- SHA256
  
  f532f803a9040930b10a880ba4d1ed62d44a15756c31a487ea8e90a67bfd3078
- SHA512
  
  95d6d4b48a8e9f65cf4836b25bae6792fbacf9be6afd9fc5a5eb820095bd62bcc401201e1c9c5fd0b7837b0113ef90e1acec14dfc07844a67069cf6981c5757f
- SSDEEP
  
  12288:mtmhr/XZihWuchRxWT53/gehV0XDU4KAZBj2G4W7q:FrYhWTl5XDPv1q
Score

1^/10
behavioral20
- Target
  
  endpointdlp.dll
- Size
  
  564KB
- MD5
  
  4433f83c04f409eaea6e9d8e36708684
- SHA1
  
  83f1d33c8babac4bb474ebd335f75a10d2971c64
- SHA256
  
  4804ae834ca909178f3e9d6876209aa10851a36bc4edafd75a571e980013da1d
- SHA512
  
  87a4db85ad47bc148223a22972d08962a57db07adf0b1ba19d279c2b57aa063c981d4d55106ea1ba85f239902ce4ff83272f476aa6b6447bd49319bfe9c8eb94
- SSDEEP
  
  12288:GPaUIpEjKRSSj6imoza9hzg1glUEv2k1ukJaFV4HojFQZLgc:AaJaKRx6XgUUm2kvaFs3gc
Score

1^/10
behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

RedLine

RedLine payload

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21