redline

General

Target

Exodus Backup.zip
Size

224.2MB
Sample

241128-hbk26svmhl
MD5

dbb7b2722726811d996ad2674ccd88dc
SHA1

b079fac5f4772d8eb549bf7f03e9c4af17e09245
SHA256

21b4e9035539bfd9e1d5887325fd5c671c113830035b347b0f1d002a7fa5ead6
SHA512

9ff8f75c98b1cfac4afe407be545d8f0d3eaedf8e9b171a46371f960e40eee6589ead09559e1c2da7cc1036241733b4cf96794da485eb5155af6311c535ccde6
SSDEEP

6291456:5pHqxhMpbUQPrvc7k9u6zz5vUFhC6nRn8fPbJShHH5vLsCDX:LHqxIbUQzvc7uu6H5vUFA6YQhHH5vLsi

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

Exodus

C2

85.117.241.171:1912

Targets

- Target
  
  Exodus Backup.zip
- Size
  
  224.2MB
- MD5
  
  dbb7b2722726811d996ad2674ccd88dc
- SHA1
  
  b079fac5f4772d8eb549bf7f03e9c4af17e09245
- SHA256
  
  21b4e9035539bfd9e1d5887325fd5c671c113830035b347b0f1d002a7fa5ead6
- SHA512
  
  9ff8f75c98b1cfac4afe407be545d8f0d3eaedf8e9b171a46371f960e40eee6589ead09559e1c2da7cc1036241733b4cf96794da485eb5155af6311c535ccde6
- SSDEEP
  
  6291456:5pHqxhMpbUQPrvc7k9u6zz5vUFhC6nRn8fPbJShHH5vLsCDX:LHqxIbUQzvc7uu6H5vUFA6YQhHH5vLsi
Score

10^/10

redline exodus credential_access defense_evasion discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Export 12-word secret recovery phrase.exe
- Size
  
  224.6MB
- MD5
  
  eb4fb6e1c5ebfb3775f4c69f096607b4
- SHA1
  
  99551ae3ba358acf9c2c09bab8bd8ed2e207b62d
- SHA256
  
  149426bcc226da12143a3fed2924c057eb2b6cde0d7c35da828619722d92bebd
- SHA512
  
  0e26cd355c760148455ee9f5c6b21360135dcd88fcff9e996ce0ffd295e9e2e7397e1c7ec2293bbe327ff142b39c62b0c6c1fc77884f4614dcaaa8acaa5b966f
- SSDEEP
  
  6291456:K3TALfelJCmbxJALe9CCr/BH69l28PxH8b/3fwbBHjB3sM3:kTALGJCmlJALACCDBH69k8kAbBHjB3sS
Score

10^/10

redline exodus defense_evasion discovery infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral2