redline

General

Target

FnCheatCracked.rar
Size

6.2MB
Sample

241122-wsetda1ndn
MD5

600751e5c06b74f501784156f18d1c79
SHA1

36ac231fc3db400deab30369b5ef20b995af678c
SHA256

3307062c28428650267d61ad282295e38d5d2f4d2a033824ecfe302cdcc4be3b
SHA512

cc49b242d2a66d1d719ebc69a36ef2ad32c63a8d7f8a4162ac98e24b1da5bff144de114f31f81d4c611547b81847c66e20a15f6f02051b827521198fc7604cc9
SSDEEP

196608:G4wCflR0SjSDiQckcU+PDF/5/ohgY/aULWy:G4w86XcU+55AhgYrWy

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

ingles

C2

20.47.120.249:1912

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  Fn Cheat Cracked/Driver Dump/driver.sys
- Size
  
  9KB
- MD5
  
  d28af522ac4c301de527271c2b1b1726
- SHA1
  
  ee9d28fff7ae8563cd15cbadd4a9aa10c3040390
- SHA256
  
  3868770ba5ca380250143472ba753cc94f2c7c318eabc29b5eb0c5de55b08024
- SHA512
  
  d4ad50d1875ba77a164e3166d9a935506234a39240c024c3bed0876c5cdc8b82957d8d707baad8d908da57fc3f3d314a5d378ee229d1add5887a70d8e75c2fdb
- SSDEEP
  
  192:wgo2gczvWMcwL/89YcZbZuZxkItZVQHkBAkpT:vokbWM7/65ZNGxkHkB7
Score

1^/10
behavioral1
- Target
  
  Fn Cheat Cracked/Driver Dump/mapp.exe
- Size
  
  143KB
- MD5
  
  98139cee6a27bc7115b7dec0ccc0d56d
- SHA1
  
  c73c945b4c0666668afc0c56ac9518108b532ce6
- SHA256
  
  e7b9b250e62a5b9fbc0e49e7d572c33bc91df667f0d65c8a4e8f3e11762ca61c
- SHA512
  
  8f6d68688944d4f51aebd9b8a8209e1ffa1e8ce4437c2d4529d0a1f57daaba73689a9af1ae4a254865801662305cfd7eae2117ad482911835c146fbdc3889811
- SSDEEP
  
  3072:0nQGQ/taw4jXYpdxLc9wNImJTQSaMm5/6fGNv7qObYop3o:eQGIUw4DwkaWlMJ6Zp4
Score

1^/10
behavioral2 behavioral3
- Target
  
  Fn Cheat Cracked/fn (1).exe
- Size
  
  6.1MB
- MD5
  
  75104ebb7b59d1cee81ee9855b0bfa0c
- SHA1
  
  122d4239f5e838c40a905bf8ee4270d2e7526367
- SHA256
  
  1cd7a63a349eacea2579932f9fdf40edf2eb57b62b76b18a92c1b7d0c82c81e0
- SHA512
  
  d9aebd3fc23ee26e6135b3b1607c2450c2a837aa383c24cd056ad63e1df7a5dfdc072a6f4f3654008d15d81eee339b25fb9e638a27eabf8bd314825a6c96de53
- SSDEEP
  
  196608:l4wCflR0SjSDiQckcU+PDF/5/ohgY/aULW:l4w86XcU+55AhgYrW
Score

10^/10

redline xred ingles backdoor discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral4 behavioral5