redline | 385040a365614ddfe8ee14d2bccb65ef5f8a123b9189ccb89144b0c6e548ea70 | Triage

Sharing

General

Target

385040a365614ddfe8ee14d2bccb65ef5f8a123b9189ccb89144b0c6e548ea70.exe
Size

976KB
Sample

241126-dzesvasjfx
MD5

f6635a42087a6e45da9fa48b6eb8024e
SHA1

a3c069f52e3494a7e2d5a13ba6648865c1be3e49
SHA256

385040a365614ddfe8ee14d2bccb65ef5f8a123b9189ccb89144b0c6e548ea70
SHA512

079de4fe9769290b96afa2a548385764f9d962152ce0ade7ba6c3f7b960d5f1336d7a3cfc554bc7f67c6fe271c4ca0bd908cb99f8d8a0f06505edce12ae4e4f0
SSDEEP

3072:HaXt5hsc2+T33w68MSWjFzNaMYpa/LJ9WsXrAmbvJMRYeL:6Xt5hsc2w3w6tztfnJrAm1MRF

Score

10^/10

redline diamotrix discovery infostealer persistence pyinstaller spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Targets

- Target
  
  385040a365614ddfe8ee14d2bccb65ef5f8a123b9189ccb89144b0c6e548ea70.exe
- Size
  
  976KB
- MD5
  
  f6635a42087a6e45da9fa48b6eb8024e
- SHA1
  
  a3c069f52e3494a7e2d5a13ba6648865c1be3e49
- SHA256
  
  385040a365614ddfe8ee14d2bccb65ef5f8a123b9189ccb89144b0c6e548ea70
- SHA512
  
  079de4fe9769290b96afa2a548385764f9d962152ce0ade7ba6c3f7b960d5f1336d7a3cfc554bc7f67c6fe271c4ca0bd908cb99f8d8a0f06505edce12ae4e4f0
- SSDEEP
  
  3072:HaXt5hsc2+T33w68MSWjFzNaMYpa/LJ9WsXrAmbvJMRYeL:6Xt5hsc2w3w6tztfnJrAm1MRF
Score

10^/10

persistence redline diamotrix discovery infostealer pyinstaller spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

redlinediamotrixdiscoveryinfostealerpersistencepyinstallerspywarestealer