General

  • Target

    SecuriteInfo.com.Variant.Bulz.241879.18500.7579

  • Size

    512KB

  • Sample

    201201-gsxmdq4lza

  • MD5

    3f4e559cf4c7ce058a3c1368f5137840

  • SHA1

    d079140a01cb3ac2eb5421cf05d2c60472331c96

  • SHA256

    b9ff9371b8d7b58efd56d5d5b7e63b71db6053be98c3b072e8743fd664c6b29b

  • SHA512

    c1fe67d5457221bc88e4d01459107123c62c0237b4b8fe4f11a0a2500bffe98055ad13322163ccf0be8e4046b427f224a4a75a24a0ed488e2be201aed80ac151

Malware Config

Targets

    • Target

      SecuriteInfo.com.Variant.Bulz.241879.18500.7579

    • Size

      512KB

    • MD5

      3f4e559cf4c7ce058a3c1368f5137840

    • SHA1

      d079140a01cb3ac2eb5421cf05d2c60472331c96

    • SHA256

      b9ff9371b8d7b58efd56d5d5b7e63b71db6053be98c3b072e8743fd664c6b29b

    • SHA512

      c1fe67d5457221bc88e4d01459107123c62c0237b4b8fe4f11a0a2500bffe98055ad13322163ccf0be8e4046b427f224a4a75a24a0ed488e2be201aed80ac151

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks