General

  • Target

    11d0aea48bf2b268941cfcac15a9909b.exe

  • Size

    1.1MB

  • Sample

    210420-x1y88ecn1s

  • MD5

    11d0aea48bf2b268941cfcac15a9909b

  • SHA1

    e64488ef09cc7657e7e632edb7f75d36d95cf11d

  • SHA256

    ee003e3fb0419a3a8e1c47c66f2001c7bdbf72fb8a829193c2298e2f1309ca6f

  • SHA512

    d3266f6fa28ed73456e4159fb6ea5d592162a7afce289cb617cd138d47684c7877a4434d14dd1c57e333a3c5f29608db8d7e45ec2d74bd4bbce8597b3eb2a186

Malware Config

Extracted

Family

redline

Botnet

version_4

C2

135.125.166.131:60294

Targets

    • Target

      11d0aea48bf2b268941cfcac15a9909b.exe

    • Size

      1.1MB

    • MD5

      11d0aea48bf2b268941cfcac15a9909b

    • SHA1

      e64488ef09cc7657e7e632edb7f75d36d95cf11d

    • SHA256

      ee003e3fb0419a3a8e1c47c66f2001c7bdbf72fb8a829193c2298e2f1309ca6f

    • SHA512

      d3266f6fa28ed73456e4159fb6ea5d592162a7afce289cb617cd138d47684c7877a4434d14dd1c57e333a3c5f29608db8d7e45ec2d74bd4bbce8597b3eb2a186

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks