redline | 3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53
Size

1.1MB
Sample

240919-bmv8ystbnl
MD5

4b0f5b53264c56125bd5c889e063bbca
SHA1

af67f0e3380e79157505e9372922e372ca28fdeb
SHA256

3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53
SHA512

39ac9635eda068f758ff2ece2997100e9cabb254c02e4abb374b99fa415554369273a957ef51209fd0df624db1792bbb30a7f7da96015a7e98df73d290dae0ac
SSDEEP

24576:xQYmBqkDPByJzhAfD7MjzlR7BvVsqYrJc7f752/HnK2:xQ1DZ0z0MjHNvGqWJcB

Score

10^/10

redline defense_evasion discovery infostealer persistence

Malware Config

Extracted

Family

redline

C2

yellowbag.top:80

Targets

- Target
  
  3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53
- Size
  
  1.1MB
- MD5
  
  4b0f5b53264c56125bd5c889e063bbca
- SHA1
  
  af67f0e3380e79157505e9372922e372ca28fdeb
- SHA256
  
  3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53
- SHA512
  
  39ac9635eda068f758ff2ece2997100e9cabb254c02e4abb374b99fa415554369273a957ef51209fd0df624db1792bbb30a7f7da96015a7e98df73d290dae0ac
- SSDEEP
  
  24576:xQYmBqkDPByJzhAfD7MjzlR7BvVsqYrJc7f752/HnK2:xQ1DZ0z0MjHNvGqWJcB
Score

10^/10

redline defense_evasion discovery infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Deobfuscate/Decode Files or Information
  Payload decoded via CertUtil.
  defense_evasion
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Deobfuscate/Decode Files or Information

Indicator Removal

File Deletion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Remote System Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinedefense_evasiondiscoveryinfostealerpersistence

behavioral2

redlinedefense_evasiondiscoveryinfostealerpersistence