Resubmissions

05-04-2021 09:29

210405-8ga7y7zk36 10

03-04-2021 06:00

210403-gtexn6kycs 10

General

  • Target

    Setup[1].exe

  • Size

    1.3MB

  • Sample

    210405-8ga7y7zk36

  • MD5

    0657125b7850a7b5796bf6979da502f0

  • SHA1

    686d1ad201f0706daec7dd9bfa60fd1144a7b876

  • SHA256

    c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49

  • SHA512

    879167e0b34e015e62828151a05b785f3f9b99e2826be73fe9afc4d671dedec19c9994d2481c060e453367885ba16cce0252e7049bdb59c5ee90885f6527e10c

Malware Config

Extracted

Family

redline

Botnet

010402

C2

194.135.20.72:3214

Targets

    • Target

      Setup[1].exe

    • Size

      1.3MB

    • MD5

      0657125b7850a7b5796bf6979da502f0

    • SHA1

      686d1ad201f0706daec7dd9bfa60fd1144a7b876

    • SHA256

      c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49

    • SHA512

      879167e0b34e015e62828151a05b785f3f9b99e2826be73fe9afc4d671dedec19c9994d2481c060e453367885ba16cce0252e7049bdb59c5ee90885f6527e10c

    • Beapy

      Beapy is a python worm with crypto mining capabilities.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks