redline | a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79 | Triage

Sharing

General

Target

a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79
Size

2.6MB
Sample

241122-wxh2lavrht
MD5

08d5869bc24d424f76b8b862fb4d3ece
SHA1

542bf39e63aba74891f9b25e3a602cd8e364d1ea
SHA256

a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79
SHA512

afcc32c0af3d9bda5eddc4f69911a1aa2b6029a0b071ef81f22e109bdde68ab2638349f97d7f2d605f720c23c9964de95ea1a63beb85f4182c11a68576774aa0
SSDEEP

49152:cR0ZLQZ86dP3eKzjkGxE2KQKsVbr1ZjePG72Gq:rU1I2KQ95d72Gq

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Targets

- Target
  
  a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79
- Size
  
  2.6MB
- MD5
  
  08d5869bc24d424f76b8b862fb4d3ece
- SHA1
  
  542bf39e63aba74891f9b25e3a602cd8e364d1ea
- SHA256
  
  a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79
- SHA512
  
  afcc32c0af3d9bda5eddc4f69911a1aa2b6029a0b071ef81f22e109bdde68ab2638349f97d7f2d605f720c23c9964de95ea1a63beb85f4182c11a68576774aa0
- SSDEEP
  
  49152:cR0ZLQZ86dP3eKzjkGxE2KQKsVbr1ZjePG72Gq:rU1I2KQ95d72Gq
Score

10^/10

discovery persistence redline infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

redlinediscoveryinfostealerpersistencespyware