redline | d39102871ef052ad31497b0998e298f88cde5965bc398079d64dbf67242fd217 | Triage

Sharing

General

Target

d39102871ef052ad31497b0998e298f88cde5965bc398079d64dbf67242fd217.exe
Size

729KB
Sample

241121-axcc6awrgw
MD5

bd89ba099d573971b0ce2e80ac5b111c
SHA1

a025f87b1a62b39be4bc17f9c9709280373e7960
SHA256

d39102871ef052ad31497b0998e298f88cde5965bc398079d64dbf67242fd217
SHA512

b9f2e2f5d4d5ec2e1c73f35f7d40c3ef85fddbde82296aabdfb131dfe22ada7a46a93356cb82b6ba0eaf3358c8145655a0fee2031b96f2f57b31af426e219443
SSDEEP

12288:s3HI6h903fznHkkaXNym6lXIxI65x8efj0NYFN5x1oBQkkj:+HI40vzH/adym6ROIFefgNcNf1oc

Score

10^/10

redline malwi discovery execution infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

Malwi

C2

185.241.208.193:1912

Targets

- Target
  
  d39102871ef052ad31497b0998e298f88cde5965bc398079d64dbf67242fd217.exe
- Size
  
  729KB
- MD5
  
  bd89ba099d573971b0ce2e80ac5b111c
- SHA1
  
  a025f87b1a62b39be4bc17f9c9709280373e7960
- SHA256
  
  d39102871ef052ad31497b0998e298f88cde5965bc398079d64dbf67242fd217
- SHA512
  
  b9f2e2f5d4d5ec2e1c73f35f7d40c3ef85fddbde82296aabdfb131dfe22ada7a46a93356cb82b6ba0eaf3358c8145655a0fee2031b96f2f57b31af426e219443
- SSDEEP
  
  12288:s3HI6h903fznHkkaXNym6lXIxI65x8efj0NYFN5x1oBQkkj:+HI40vzH/adym6ROIFefgNcNf1oc
Score

10^/10

redline malwi discovery execution infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinemalwidiscoveryexecutioninfostealerspyware

behavioral2

redlinemalwidiscoveryexecutioninfostealerspyware