General

  • Target

    micro_805384706.zip

  • Size

    9.7MB

  • Sample

    210117-4xdgex8f8e

  • MD5

    94cf735ee2c2778507efe4978cb4fe3e

  • SHA1

    9fa8f4e3668bb21336010933ff08c78e23c25cb3

  • SHA256

    3ae7cb3bae5adff82eef29e082254c9cfbaab50cbce90640f567add65e632d80

  • SHA512

    e6481ee403ea56ef0cabf0ee2c59d5e1f709182e8ece490cdee8c82b63de8c4896dc5db2c52325b95160ea836037c5d5ff7aa8f076b5104f0fd954443c5edf11

Malware Config

Targets

    • Target

      micro_805384706.exe

    • Size

      9.4MB

    • MD5

      8c87a217f62f72867334dcda67445c36

    • SHA1

      089003443cca7a9343e8221f96a434513c9c1163

    • SHA256

      47dfbd33c99e8254207d7bcb7cdf2be6cf231f9b1960b16ac1888fac71daa61f

    • SHA512

      c1c366b51dcb8084f0887673b75b188ec575a3d5afd3d6cb6e845c36b00d82ffbac3152b86a078f05b3c7c666222705c5916dee441300b7117f5b6f7d6f2c5ee

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Creates new service(s)

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks