{ "type": "URL", "indicator": "https://b.popmonster.ru/187547149.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://b.popmonster.ru/187547149.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3269391796, "indicator": "https://b.popmonster.ru/187547149.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "62e2735c21200c3c34fff30b", "name": "Threat Profile: RedLine Infostealer", "description": "information stealer, named RedLine Stealer by the author, was identified being delivered through spam email campaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing threat actors to use the information stealer, subscribe at different costs and purchase different access levels. In addition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data, passwords, and credit cards information from browsers.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-28T11:30:36.121000", "tags": [ "redline", "redline stealer", "insikt group", "stolen", "future identity", "intelligence", "recorded future", "platform", "yara", "snort", "sigma", "folding", "proofpoint", "learn", "stealer malware", "figure", "march", "c panel", "trojan redline", "united", "download", "ransomware", "stop ransomware", "protect", "small", "tools", "mozilla", "path", "steam", "winscp", "code", "malware", "demo", "change redline", "group", "stealer", "lapsus", "team", "please", "microsoft", "asec", "minerva labs", "nanocore rat", "kela", "ave maria", "netwire rc", "jackal", "mars stealer", "vidar", "discord", "quasar rat", "bill", "xavier", "melissa", "blaze", "taurus", "gcleaner", "panda", "oilrig", "mask", "crew", "machete", "back", "arkei stealer", "ginzo stealer", "malicious", "adobot", "orcus rat", "hido", "look", "upgrade", "privateloader", "atomic", "matryoshka", "redlinestealer", "open", "natalie", "oski stealer", "underminerek", "blacknet rat", "michael", "agent tesla", "taurus stealer", "zloader", "phishing", "stealth mango", "cozybear", "cozer", "oceanlotus", "holmium", "scarcruft", "venus", "aluminum", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "gcman", "ghostnet", "bitter", "icefog", "trident", "infy", "kinsing", "leviathan", "esile", "elise", "sykipot", "microcin", "mirage", "muddywater", "mercury", "naikon", "nettraveler", "travnet", "nitro", "strongpity", "keyboy", "powerpool", "indra", "sauron", "msupdater", "sidewinder", "redalpha", "mantis", "rocke", "blackenergy", "mimic", "silence", "guardian", "sednit", "teamspy", "teamtnt", "teamxrat", "tick", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Change RedLine", "display_name": "Change RedLine", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Manufacturing", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 7, "hostname": 10, "FileHash-MD5": 308, "FileHash-SHA1": 308, "FileHash-SHA256": 307, "email": 1 }, "indicator_count": 995, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62e2735f7c9245c4972d946d", "name": "Threat Profile: RedLine Infostealer", "description": "information stealer, named RedLine Stealer by the author, was identified being delivered through spam email campaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing threat actors to use the information stealer, subscribe at different costs and purchase different access levels. In addition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data, passwords, and credit cards information from browsers.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-28T11:30:39.169000", "tags": [ "redline", "redline stealer", "insikt group", "stolen", "future identity", "intelligence", "recorded future", "platform", "yara", "snort", "sigma", "folding", "proofpoint", "learn", "stealer malware", "figure", "march", "c panel", "trojan redline", "united", "download", "ransomware", "stop ransomware", "protect", "small", "tools", "mozilla", "path", "steam", "winscp", "code", "malware", "demo", "change redline", "group", "stealer", "lapsus", "team", "please", "microsoft", "asec", "minerva labs", "nanocore rat", "kela", "ave maria", "netwire rc", "jackal", "mars stealer", "vidar", "discord", "quasar rat", "bill", "xavier", "melissa", "blaze", "taurus", "gcleaner", "panda", "oilrig", "mask", "crew", "machete", "back", "arkei stealer", "ginzo stealer", "malicious", "adobot", "orcus rat", "hido", "look", "upgrade", "privateloader", "atomic", "matryoshka", "redlinestealer", "open", "natalie", "oski stealer", "underminerek", "blacknet rat", "michael", "agent tesla", "taurus stealer", "zloader", "phishing", "stealth mango", "cozybear", "cozer", "oceanlotus", "holmium", "scarcruft", "venus", "aluminum", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "gcman", "ghostnet", "bitter", "icefog", "trident", "infy", "kinsing", "leviathan", "esile", "elise", "sykipot", "microcin", "mirage", "muddywater", "mercury", "naikon", "nettraveler", "travnet", "nitro", "strongpity", "keyboy", "powerpool", "indra", "sauron", "msupdater", "sidewinder", "redalpha", "mantis", "rocke", "blackenergy", "mimic", "silence", "guardian", "sednit", "teamspy", "teamtnt", "teamxrat", "tick", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Change RedLine", "display_name": "Change RedLine", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Manufacturing", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 7, "hostname": 10, "FileHash-MD5": 308, "FileHash-SHA1": 308, "FileHash-SHA256": 307, "email": 1 }, "indicator_count": 995, "is_author": false, "is_subscribing": null, "subscriber_count": 250, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Change redline", "Redline" ], "industries": [ "Manufacturing", "Healthcare" ], "unique_indicators": 1027 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/popmonster.ru", "whois": "http://whois.domaintools.com/popmonster.ru", "domain": "popmonster.ru", "hostname": "b.popmonster.ru" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "62e2735c21200c3c34fff30b", "name": "Threat Profile: RedLine Infostealer", "description": "information stealer, named RedLine Stealer by the author, was identified being delivered through spam email campaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing threat actors to use the information stealer, subscribe at different costs and purchase different access levels. In addition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data, passwords, and credit cards information from browsers.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-28T11:30:36.121000", "tags": [ "redline", "redline stealer", "insikt group", "stolen", "future identity", "intelligence", "recorded future", "platform", "yara", "snort", "sigma", "folding", "proofpoint", "learn", "stealer malware", "figure", "march", "c panel", "trojan redline", "united", "download", "ransomware", "stop ransomware", "protect", "small", "tools", "mozilla", "path", "steam", "winscp", "code", "malware", "demo", "change redline", "group", "stealer", "lapsus", "team", "please", "microsoft", "asec", "minerva labs", "nanocore rat", "kela", "ave maria", "netwire rc", "jackal", "mars stealer", "vidar", "discord", "quasar rat", "bill", "xavier", "melissa", "blaze", "taurus", "gcleaner", "panda", "oilrig", "mask", "crew", "machete", "back", "arkei stealer", "ginzo stealer", "malicious", "adobot", "orcus rat", "hido", "look", "upgrade", "privateloader", "atomic", "matryoshka", "redlinestealer", "open", "natalie", "oski stealer", "underminerek", "blacknet rat", "michael", "agent tesla", "taurus stealer", "zloader", "phishing", "stealth mango", "cozybear", "cozer", "oceanlotus", "holmium", "scarcruft", "venus", "aluminum", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "gcman", "ghostnet", "bitter", "icefog", "trident", "infy", "kinsing", "leviathan", "esile", "elise", "sykipot", "microcin", "mirage", "muddywater", "mercury", "naikon", "nettraveler", "travnet", "nitro", "strongpity", "keyboy", "powerpool", "indra", "sauron", "msupdater", "sidewinder", "redalpha", "mantis", "rocke", "blackenergy", "mimic", "silence", "guardian", "sednit", "teamspy", "teamtnt", "teamxrat", "tick", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Change RedLine", "display_name": "Change RedLine", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Manufacturing", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 7, "hostname": 10, "FileHash-MD5": 308, "FileHash-SHA1": 308, "FileHash-SHA256": 307, "email": 1 }, "indicator_count": 995, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62e2735f7c9245c4972d946d", "name": "Threat Profile: RedLine Infostealer", "description": "information stealer, named RedLine Stealer by the author, was identified being delivered through spam email campaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing threat actors to use the information stealer, subscribe at different costs and purchase different access levels. In addition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data, passwords, and credit cards information from browsers.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-28T11:30:39.169000", "tags": [ "redline", "redline stealer", "insikt group", "stolen", "future identity", "intelligence", "recorded future", "platform", "yara", "snort", "sigma", "folding", "proofpoint", "learn", "stealer malware", "figure", "march", "c panel", "trojan redline", "united", "download", "ransomware", "stop ransomware", "protect", "small", "tools", "mozilla", "path", "steam", "winscp", "code", "malware", "demo", "change redline", "group", "stealer", "lapsus", "team", "please", "microsoft", "asec", "minerva labs", "nanocore rat", "kela", "ave maria", "netwire rc", "jackal", "mars stealer", "vidar", "discord", "quasar rat", "bill", "xavier", "melissa", "blaze", "taurus", "gcleaner", "panda", "oilrig", "mask", "crew", "machete", "back", "arkei stealer", "ginzo stealer", "malicious", "adobot", "orcus rat", "hido", "look", "upgrade", "privateloader", "atomic", "matryoshka", "redlinestealer", "open", "natalie", "oski stealer", "underminerek", "blacknet rat", "michael", "agent tesla", "taurus stealer", "zloader", "phishing", "stealth mango", "cozybear", "cozer", "oceanlotus", "holmium", "scarcruft", "venus", "aluminum", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "gcman", "ghostnet", "bitter", "icefog", "trident", "infy", "kinsing", "leviathan", "esile", "elise", "sykipot", "microcin", "mirage", "muddywater", "mercury", "naikon", "nettraveler", "travnet", "nitro", "strongpity", "keyboy", "powerpool", "indra", "sauron", "msupdater", "sidewinder", "redalpha", "mantis", "rocke", "blackenergy", "mimic", "silence", "guardian", "sednit", "teamspy", "teamtnt", "teamxrat", "tick", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Change RedLine", "display_name": "Change RedLine", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Manufacturing", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 7, "hostname": 10, "FileHash-MD5": 308, "FileHash-SHA1": 308, "FileHash-SHA256": 307, "email": 1 }, "indicator_count": 995, "is_author": false, "is_subscribing": null, "subscriber_count": 250, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://b.popmonster.ru/187547149.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://b.popmonster.ru/187547149.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780262856.335526 }