General

  • Target

    SS™ Install.exe

  • Size

    20.0MB

  • Sample

    210126-z234vpctv2

  • MD5

    8a98a1219b88d973ed494f8f3037fed4

  • SHA1

    822510a92978231f108d3666003d44ea76e11edb

  • SHA256

    45de963b46628c445931c07fdddd889c33e6be1e2847340d7971b49b40dea39e

  • SHA512

    314a4f04e42a87eb396fb4642d4025ecf71c8ee0282355ad70a237be1e6cebf2066fb5a25a0149ddee08e24e0d788608c309fae3a2a7c4f53565442c6f571c72

Malware Config

Targets

    • Target

      SS™ Install.exe

    • Size

      20.0MB

    • MD5

      8a98a1219b88d973ed494f8f3037fed4

    • SHA1

      822510a92978231f108d3666003d44ea76e11edb

    • SHA256

      45de963b46628c445931c07fdddd889c33e6be1e2847340d7971b49b40dea39e

    • SHA512

      314a4f04e42a87eb396fb4642d4025ecf71c8ee0282355ad70a237be1e6cebf2066fb5a25a0149ddee08e24e0d788608c309fae3a2a7c4f53565442c6f571c72

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks