redline

Sharing

Copy URL

Twitter E-mail

General

Target

SynZ.zip
Size

70.1MB
Sample

240805-gfzkpascrd
MD5

b8718b508f8214d94102e4a3dd19c7de
SHA1

6f5ec8f5b99ac2ac062c294bfb3001b6cc14c2a8
SHA256

00a91ee380c010c2ce133a3d6e2dc89d3cef7d8f0340d4ff8882f5eb54763e02
SHA512

ea1ae85625973d71750b2e437bdfe9dc44079b3c406463dd5d251745cd8c356d19b5c95a6ccf8679c775a1ef48a4fc7b52880e61d154bd321fa32c679da1f19c
SSDEEP

1572864:Au4juo6zD0ybwx9tGGTT19ZBUlAqfgH3bnnD4F9CdqcGAtzgs:Au6udn06wx9tGGHDZBfqfgrMZZ8gs

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

185.196.9.26:6302

Targets

- Target
  
  SynZ.zip
- Size
  
  70.1MB
- MD5
  
  b8718b508f8214d94102e4a3dd19c7de
- SHA1
  
  6f5ec8f5b99ac2ac062c294bfb3001b6cc14c2a8
- SHA256
  
  00a91ee380c010c2ce133a3d6e2dc89d3cef7d8f0340d4ff8882f5eb54763e02
- SHA512
  
  ea1ae85625973d71750b2e437bdfe9dc44079b3c406463dd5d251745cd8c356d19b5c95a6ccf8679c775a1ef48a4fc7b52880e61d154bd321fa32c679da1f19c
- SSDEEP
  
  1572864:Au4juo6zD0ybwx9tGGTT19ZBUlAqfgH3bnnD4F9CdqcGAtzgs:Au6udn06wx9tGGHDZBfqfgrMZZ8gs
Score

1^/10
behavioral1 behavioral2
- Target
  
  SynZ/Synapse/Synapse Z.exe
- Size
  
  70.0MB
- MD5
  
  235974b1df44f0484d8210536dab5d41
- SHA1
  
  de52848ea0fedf2f7491e81147139a2d80fe4a6c
- SHA256
  
  8b4acf13ad30350adabed9aa814134fe1065aaffeb04b2403b400986859dc19d
- SHA512
  
  65202c05e5dd1a04ecdf04b1ec5be0743d26d28a3aa2f376bab057a7b7a253e872d7417b592d525227dd937f1d7541f4a7a2b35654a7b8398065b91484acc9b7
- SSDEEP
  
  24576:z9JdpJxPSmAs5RAEZXA9f0dna+oF7uQajj5yr0E:Dd5NT1Q9Kazubj5y4E
Score

10^/10

redline @dxrkl0rd credential_access discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates processes with tasklist
  discovery
behavioral3 behavioral4
- Target
  
  SynZ/Synapse/autoexec/test.lua
- Size
  
  34B
- MD5
  
  f051c998ef025a1ccd4f6f7abe16e55e
- SHA1
  
  2e75e1237531ae3c0647c0fad7cf6ae1687d0e99
- SHA256
  
  601c187ff3410f7c71258bd29c0e48a9f40a046a745093f71e7172decf0f0eae
- SHA512
  
  748cb431b3a2208c07187c80a3c5b5174b2c536fb056e7b48646875cbd4392225da4aaaaf376f16ca79ab854245e7638cf02103f0913abff55e005da482d498a
Score

3^/10
behavioral5 behavioral6
- Target
  
  SynZ/Synapse/autoexec/test2.lua
- Size
  
  11B
- MD5
  
  701bf4a4743e5e0361e26999881a5ce9
- SHA1
  
  f34d33bcb5c13eae1c15faddc6054e479f74aa28
- SHA256
  
  c2d0a5e0790d97a015387a995c0d0b5eb3e88138466586fc980787c9b1731eb8
- SHA512
  
  8c0eedc5dca108eb9682239164cba3c70ba4c12e4520a9bdfa8efce0416ce51534fcea2ef4dcd7ea2dfc684358a064233165b0bda5287892de2014a1f2b21c6f
Score

3^/10
behavioral7 behavioral8
- Target
  
  SynZ/Synapse/workspace/.tests/appendfile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral10 behavioral9
- Target
  
  SynZ/Synapse/workspace/.tests/getcustomasset.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral11 behavioral12
- Target
  
  SynZ/Synapse/workspace/.tests/isfile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral13 behavioral14
- Target
  
  SynZ/Synapse/workspace/.tests/listfiles/test_1.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral15 behavioral16
- Target
  
  SynZ/Synapse/workspace/.tests/listfiles/test_2.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral17 behavioral18
- Target
  
  SynZ/Synapse/workspace/.tests/loadfile.txt
- Size
  
  1B
- MD5
  
  8fa14cdd754f91cc6554c9e71929cce7
- SHA1
  
  4a0a19218e082a343a1b17e5333409af9d98f0f5
- SHA256
  
  252f10c83610ebca1a059c0bae8255eba2f95be4d1d7bcfa89d7248a82d9f111
- SHA512
  
  711c22448e721e5491d8245b49425aa861f1fc4a15287f0735e203799b65cffec50b5abd0fddd91cd643aeb3b530d48f05e258e7e230a94ed5025c1387bb4e1b
Score

3^/10
behavioral19 behavioral20
- Target
  
  SynZ/Synapse/workspace/.tests/readfile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral21 behavioral22
- Target
  
  SynZ/Synapse/workspace/.tests/writefile
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral23 behavioral24
- Target
  
  SynZ/Synapse/workspace/.tests/writefile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

3^/10
behavioral25 behavioral26
- Target
  
  SynZ/Synapse/workspace/EzHubLL.txt
- Size
  
  2B
- MD5
  
  99914b932bd37a50b983c5e7c90ae93b
- SHA1
  
  bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
- SHA256
  
  44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
- SHA512
  
  27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
Score

3^/10
behavioral27 behavioral28
- Target
  
  SynZ/Synapse/workspace/IY_FE.iy
- Size
  
  539B
- MD5
  
  291d5636a434c4f1ceb0f3f776c2a51f
- SHA1
  
  ae287e08f71c522a72812f0dace94b8ffb569341
- SHA256
  
  73bb58ba5b81960caf5a8e66675cc89b5761b77db99c6ceb9435f7211d400452
- SHA512
  
  7dab8034f85aef1b2b7a86cc8220ebdbb95a3f083d1565e1cff38414367aa69fc597a11aaba11dbef411e13fbfb285855d9c46ae59738f6e88c22dd55c81a743
Score

3^/10
behavioral29 behavioral30
- Target
  
  SynZ/Synapse/workspace/Sky Hub/Sky Hub Settings.json
- Size
  
  52B
- MD5
  
  9a42aefba1beca2d4816e37142fa22db
- SHA1
  
  387384c567a5bd1ca99568c43315ea39bdaec1e0
- SHA256
  
  37dd2675939dcf754c08d0a3776908fc7c996849839dcba037848a943f33240b
- SHA512
  
  77ed2aeab7c10507e74c8001cbafe883d4a308cc3686d0edcf8925db54f00e45337b9ebd7d19c83129cebda0e0eaa9d01a0f5474d0639b6cab5659cfedb80a9b
Score

3^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32