agenttesla

Resubmissions

02-08-2024 12:16

240802-pfv69s1drg 10

02-08-2024 12:15

02-08-2024 12:14

02-08-2024 12:06

01-08-2024 01:57

Sharing

Copy URL

Twitter E-mail

General

Target

bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf.zip
Size

20.2MB
Sample

240802-n97ays1dpa
MD5

05543d62dd8e652936165c212ca0980a
SHA1

f0c13e272c06cc945891d3508e341c1b5550a8e9
SHA256

bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf
SHA512

3cae5f69d3a7beffcb357b668b00a2223d3e616eb29564ed978138c80d9245af3ef77d78a86365039e745d430dac6d8e0a75d683c38f45024a6c9193bebc70ee
SSDEEP

393216:8rniuKDJ1KA/oaXpBbD3QRDqeyNrQ/MR50eaJ92Bc0bU4BVzjfBzGct9/ug5Hd3w:8rOJsA/dBb7Qg3rQ0Q0TUcBzj/ugNd3w

Malware Config

Extracted

Family

stealc

Botnet

hello

http://85.28.47.70

Attributes

url_path
/570d5d5e8678366c.php

Extracted

Family

xworm

schools-copper.gl.at.ply.gg:14154

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276

Extracted

Family

redline

Botnet

6951125327

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

82.65.19.134:4443

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bonnyriggdentalsurgery.com.au
Port:
587
Username:
[email protected]
Password:
Sages101*
Email To:
[email protected]

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note

~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CEE77F3E7BDC69C63 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Credentials

Protocol: smtp
Host:
mail.bonnyriggdentalsurgery.com.au
Port:
587
Username:
[email protected]
Password:
Sages101*

Extracted

Credentials

Protocol: ftp
Host:
ftp.libreriagandhi.cl
Port:
21
Username:
[email protected]
Password:
x6p2^m#1#~+O

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.149:2888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7Q1GRN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

stealc

Botnet

default

http://85.28.47.101

Attributes

url_path
/f3ee98d7eec07fb9.php

Targets

- Target
  
  1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
- Size
  
  678KB
- MD5
  
  c229261d7e8c8524dd25f7bc58edddf8
- SHA1
  
  781d106f3aa60c392f039968ae45c53f78890871
- SHA256
  
  0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd
- SHA512
  
  be05a39499b86bfcb30725fd277502f026b29b205bb657d8303b55d9b8e0ae6d4bfb507153d77229871df32d4608a5b8b3bdb1e783f12db2541e48a73fd2891c
- SSDEEP
  
  12288:8S2iNbczDLej8zhAA3Crp4mIjYBTBIE5Vmmah9di01DRzqICQlzCDmXPIPe:8S1ZcXh9IuMZBIEHlg9s01D71lzCDmXS
Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
- Size
  
  1.3MB
- MD5
  
  73d006e33d8eda033e684c07b15c53ad
- SHA1
  
  e3e0a09b37beee1e19d5a6b9fd5322f906f4493d
- SHA256
  
  0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160
- SHA512
  
  1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db
- SSDEEP
  
  24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
- Size
  
  161KB
- MD5
  
  855da30648c0d4f4e2497470ece750bf
- SHA1
  
  4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a
- SHA256
  
  08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65
- SHA512
  
  948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393
- SSDEEP
  
  3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf
Score

10^/10

stealc hello discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5 behavioral6
- Target
  
  1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
- Size
  
  389KB
- MD5
  
  35a50d146a389289bf8cf8ae60c9e785
- SHA1
  
  eb94502d25789eb86dc160c2bc9be4b4a64131bd
- SHA256
  
  0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791
- SHA512
  
  9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada
- SSDEEP
  
  6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO
Score

10^/10

discovery stealc default stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
- Size
  
  146KB
- MD5
  
  2357ecbcf3b566c76c839daf7ecf2681
- SHA1
  
  89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
- SHA256
  
  0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
- SHA512
  
  bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
- SSDEEP
  
  3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (631) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
- Size
  
  1.0MB
- MD5
  
  631e3c5465349fdfd6fc2fbe9c15cf65
- SHA1
  
  af9e5b3d8ca4b6c64b69876b9cad6a18476f0168
- SHA256
  
  25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f
- SHA512
  
  31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93
- SSDEEP
  
  24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2
Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
- Size
  
  338KB
- MD5
  
  6f1e400bcf79c773832b3ca2aab94d3d
- SHA1
  
  8a1724e7f0df1b8bb22413751908b76f72498121
- SHA256
  
  2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c
- SHA512
  
  2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a
- SSDEEP
  
  6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO
Score

10^/10

discovery redline 6951125327 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
- Size
  
  338KB
- MD5
  
  d5ad720fa67bbce2d11544ad3c211424
- SHA1
  
  e9f63402b2eaabbdcc6cb5ec95e328f9620cd170
- SHA256
  
  2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e
- SHA512
  
  d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6
- SSDEEP
  
  6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO
Score

10^/10

discovery redline 6951125327 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
- Size
  
  3.3MB
- MD5
  
  7cdff219ccaaa4c4d67448e9e812f2de
- SHA1
  
  a063103f177df84c90f0054d0f2adcae6f1885af
- SHA256
  
  39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82
- SHA512
  
  5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5
- SSDEEP
  
  49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T
Score

10^/10

babylonrat discovery trojan upx
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
- Size
  
  487KB
- MD5
  
  f451292bbe0b4c16d244c251105de16a
- SHA1
  
  a527d277ccc25ad97ae64fb76767f1e2cda66ff2
- SHA256
  
  3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a
- SHA512
  
  d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a
- SSDEEP
  
  6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral19 behavioral20
- Target
  
  1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
- Size
  
  731KB
- MD5
  
  bd1050f3642d22733a30cd101f591713
- SHA1
  
  5a6553bea21e2df2307ed5c843072bcb023566be
- SHA256
  
  3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671
- SHA512
  
  6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883
- SSDEEP
  
  12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2
Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
- Size
  
  109KB
- MD5
  
  2da5e6b97759d3537cbd23e9fdb2b770
- SHA1
  
  cabbf38051fa6657e28a12dee92042e44d8b72cb
- SHA256
  
  4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5
- SHA512
  
  7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b
- SSDEEP
  
  1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w
Score

10^/10

redline 6951125327 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral23 behavioral24
- Target
  
  1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
- Size
  
  1.2MB
- MD5
  
  dd831eb4a822421a497990d84a0fd578
- SHA1
  
  aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
- SHA256
  
  4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
- SHA512
  
  5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
- SSDEEP
  
  24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral25 behavioral26
- Target
  
  1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
- Size
  
  719KB
- MD5
  
  a7d3bd55656bdc04c270315d083b59c1
- SHA1
  
  a76453791867e4aaf4cd0551b70e52ced80b3fab
- SHA256
  
  5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33
- SHA512
  
  9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861
- SSDEEP
  
  12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
- Size
  
  765KB
- MD5
  
  a8e583583122cff4ea57a3062bb4aa3f
- SHA1
  
  b4a4bee8dbc966624f43273a500aa0ec1bbf1790
- SHA256
  
  68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4
- SHA512
  
  3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91
- SSDEEP
  
  12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE
Score

10^/10

discovery redline 6951125327 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
- Size
  
  2.1MB
- MD5
  
  ab6ca8e3d0c7967c6372a96334e6bb19
- SHA1
  
  58a2142787ffae164d4c78d97102ff652fecfc86
- SHA256
  
  6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5
- SHA512
  
  a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445
- SSDEEP
  
  49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17
Score

7^/10

discovery persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral31 behavioral32