redline | 858c355a5723e866dd9379765f2672976b4a097d836e8b5a2cd865f9819492a2 | Triage

Sharing

General

Target

avira_spotlight_setup.exe
Size

34.2MB
Sample

241204-x5lm5axkgx
MD5

972eb9126d92fea2626690bef903aad6
SHA1

9def5004dc267f77f5cfb7070e85d330b8e33638
SHA256

858c355a5723e866dd9379765f2672976b4a097d836e8b5a2cd865f9819492a2
SHA512

2283f4ab903c98ccfb0a79154d5ad32b4af1ac4e8e7d71d583bbdbbd0ca866449e6c7658a8ac6b1e6061c448fa34e3b0a84b84efc023e5b2c80ca71c6aeb048a
SSDEEP

786432:CxgDPaSv7Kbd46LHeyvLXGx5ncGmGGxqe6PqiDViD:JKbd46bC5ncz/xy7DVo

Score

10^/10

redline discovery execution infostealer persistence privilege_escalation

Malware Config

Targets

- Target
  
  avira_spotlight_setup.exe
- Size
  
  34.2MB
- MD5
  
  972eb9126d92fea2626690bef903aad6
- SHA1
  
  9def5004dc267f77f5cfb7070e85d330b8e33638
- SHA256
  
  858c355a5723e866dd9379765f2672976b4a097d836e8b5a2cd865f9819492a2
- SHA512
  
  2283f4ab903c98ccfb0a79154d5ad32b4af1ac4e8e7d71d583bbdbbd0ca866449e6c7658a8ac6b1e6061c448fa34e3b0a84b84efc023e5b2c80ca71c6aeb048a
- SSDEEP
  
  786432:CxgDPaSv7Kbd46LHeyvLXGx5ncGmGGxqe6PqiDViD:JKbd46bC5ncz/xy7DVo
Score

10^/10

redline discovery execution infostealer persistence privilege_escalation
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Creates new service(s)
  persistence execution
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

Software Discovery

Security Software Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinediscoveryexecutioninfostealerpersistenceprivilege_escalation