redline

Sharing

Copy URL Twitter E-mail

General

Target

SolaraBETA3.rar
Size

9.8MB
Sample

240822-qxwpssselm
MD5

e3b10b39011c56b6c4eb84d22f2fceb3
SHA1

fc9db4d8e76354a9c91ef3d484b4e9e1e67842e0
SHA256

40b837d2e186d69eec57955b02c768bf6612f24e2343c24b2b91b8163ab61d76
SHA512

34fb10448ec4ba7ba6c89c54902d01296fed71fd08a97b50e296fd09392525e69ed3c731cfd12bdfe963db5df8e5135901ee762f464362c0503f3a981d8e47ec
SSDEEP

196608:M8qBOl8kO0qF0oGER+0pyWTmoKe14EasQZ4igKYwXbSK5Dz62V3:MSl8kO0kXtDxTmW14Eas2qwXuK5H62F

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

194.26.232.43:20746

Targets

- Target
  
  SolaraBETA3/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral1 behavioral2
- Target
  
  SolaraBETA3/Solara Updater (If crashed)/Solara_Updater.exe
- Size
  
  240KB
- MD5
  
  b89051e8cf348e69c0943b540af3b99c
- SHA1
  
  50200e338cb5df75077c6144884bf0ff6bf7cc7a
- SHA256
  
  2e0a0e7e5d510f4274cd22ca2ed10f4bcca932a8cb2a756a47c13fb36a5fb58d
- SHA512
  
  ab1e75c6ccf80fdd29bb35ec802032a46cf642e444ba392a2224cc025d05d78148f60bf81d4405b25301ce86b83e03d9249378864afa575fa6a61f05dea21408
- SSDEEP
  
  6144:poKbfO8otzIJZiCgq1gQb4KgLqMIuLRTK83KrAqG:poKzO8otaZiCgSgQb4KgLqMIuLRTwrAq
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  SolaraBETA3/Solara X.exe
- Size
  
  250.0MB
- MD5
  
  43f926f0847f8b9d1c5d94f03e05953f
- SHA1
  
  025398a3db4f6eae18ee5fe3d309e1bcc3c0b551
- SHA256
  
  e49cffe19f100a25de6721068952aefa0ee96d7f707baafcd524b18290492aba
- SHA512
  
  d2bf0c47c9a574e33c18961ce4efea4fa553976a1484bac2dad8059d3e32ac4323bdd4989bebea81e132c63ed0b99085482a686180628d1d932a7888f25c8e42
- SSDEEP
  
  24576:ZXr/woHRSlL+hU26T6iILGsPg8lBLRVqF:97bHEwhU2sEVYELu
Score

10^/10

redline @dxrkl0rd discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral5 behavioral6
- Target
  
  SolaraBETA3/Solara.dll
- Size
  
  6.6MB
- MD5
  
  110e9512db3d6a513d94db3729919c0d
- SHA1
  
  255dcd16391adea11a8fb06dbe6ea4b5dd8afb09
- SHA256
  
  d4879d299553da0777a1ed4de8e5d77f89c493975133723529cd45891a278fa3
- SHA512
  
  687f415b2a934de6fb82a740b737b77a4683ab6da914dddf67eb28006df8f8cb695b4011a13d16a1df247f83cdf04f8f979345ae098d3ccdc44d1e55fecae5bf
- SSDEEP
  
  98304:MRzLN6+Wb8g+p9zZzyG74bajZ8XN33VMiBDeUaN7OaM2U/MwfGl8torJr7IX/1rJ:MXASdzyG74bajZGy+uNfa5el8tEPI1rJ
Score

7^/10

themida
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral7 behavioral8
- Target
  
  SolaraBETA3/Wpf.Ui.dll
- Size
  
  5.2MB
- MD5
  
  aead90ab96e2853f59be27c4ec1e4853
- SHA1
  
  43cdedde26488d3209e17efff9a51e1f944eb35f
- SHA256
  
  46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
- SHA512
  
  f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
- SSDEEP
  
  98304:Com1p/B6MvSmaRI+VcDNkq4pmvhAHDfyyrhl:W1HZNkq4p
Score

1^/10
behavioral10 behavioral9
- Target
  
  SolaraBETA3/libcurl.dll
- Size
  
  522KB
- MD5
  
  e31f5136d91bad0fcbce053aac798a30
- SHA1
  
  ee785d2546aec4803bcae08cdebfd5d168c42337
- SHA256
  
  ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
- SHA512
  
  a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6
- SSDEEP
  
  12288:InAnSwPc/1BzyLmI2MB1MqcUfCKHU1XAfK6ae:I6Pc/1BOKtaeqcUaZXm
Score

1^/10
behavioral11 behavioral12
- Target
  
  SolaraBETA3/msvcp140.dll
- Size
  
  576KB
- MD5
  
  7b92a6cb5d2cad407c457ab12d2b211d
- SHA1
  
  e04020b3448fc6084fa31b7f791f22ff15e31328
- SHA256
  
  3c6a772319fff3ee56d4cedbe332bb5c0c2f394714cf473c6cdf933754114784
- SHA512
  
  b28740c1aca4f0f60a9e4a9ab5a0561af774d977ab6d42a7eea70c9e560c77c50be5d9d869f05d0435e2923f4f600219335d22425807ab23cbbcda75442c4b42
- SSDEEP
  
  12288:RI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRvbQEKZm+jWodEEVhQ:RD89rxZCQEKZm+jWodEEPQ
Score

1^/10
behavioral13 behavioral14
- Target
  
  SolaraBETA3/runtimes/win-arm64/native/WebView2Loader.dll
- Size
  
  121KB
- MD5
  
  aeb1b80258d8c6bd9b88d309fc938823
- SHA1
  
  b6c1e5e3e4f2799285757ad091d7ceeaf3c6de35
- SHA256
  
  60a48cb3a939e30ffcee0f84cd0967231693c6e0bcc60ab5c77ff90ecf68824f
- SHA512
  
  99e826c074bca009d7720b82cf9fa0ad780967c523ec372578a9a906798db19a1e2f75acf9d0cdbdd78b83043df285127cef524f699b178e1a4b03b8996de004
- SSDEEP
  
  1536:7DIqUepIC7H67AsPWl0+mWfvkvzGwsWWdttSDjEtIectI87n+INj:7DI7eGLXymWU7GV7SDjEtnca7w
Score

1^/10
behavioral15 behavioral16
- Target
  
  SolaraBETA3/runtimes/win-x64/native/WebView2Loader.dll
- Size
  
  133KB
- MD5
  
  a0bd0d1a66e7c7f1d97aedecdafb933f
- SHA1
  
  dd109ac34beb8289030e4ec0a026297b793f64a3
- SHA256
  
  79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
- SHA512
  
  2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
- SSDEEP
  
  3072:e5i6Uab3sFhPk6vEmG1PU6dLXm2ng3esQDqEt2JljdTu:e5P2e6vERtUyTmHEtmI
Score

1^/10
behavioral17 behavioral18
- Target
  
  SolaraBETA3/runtimes/win-x86/native/WebView2Loader.dll
- Size
  
  107KB
- MD5
  
  e2a10346ba7b74f8c79afc419ed470d5
- SHA1
  
  3ced830ffa621ce122169433b224c3df7fed0f3f
- SHA256
  
  79885ef79591964477c09afd51c4f1981a4904601c23247975b9f84cb5d7b84b
- SHA512
  
  da58cba7be5bd12048cdd4f31d2835b8db5bbe93ea178941ff1af4cd6712175a0aab2945415d016648399838d80e6e33215d12a25867a4b0102356230ba22803
- SSDEEP
  
  3072:XXKaNm8sCEvfpFVUKbiDUuP7ANt+/NvcD/EtK9nsnRj81:X6ac8sCiXbiguP7n8EtSnIRQ1
Score

3^/10

discovery
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates processes with tasklist

Themida packer

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20