General

  • Target

    41c114e52de616504df1cd4137de1ce8.exe

  • Size

    187KB

  • Sample

    210421-gy3jbt1gys

  • MD5

    41c114e52de616504df1cd4137de1ce8

  • SHA1

    0579cc93cf8e6dd57e878da1f520499e4a77cf5a

  • SHA256

    556c6ec49b714eb7bf9b3d816fd18a8962fb6be756224aa4cf8614e5bd7f0738

  • SHA512

    4dd0a49f9e5481cb3d3644604e896bc338021968fbae72d426ec67643759b644cba0f4dac81c7c3fef9a05aeca58171f11d790dc5ef76797bbe99a2e57900634

Malware Config

Extracted

Family

redline

Botnet

20_4_net

C2

Sthellete.xyz:80

Extracted

Family

redline

Botnet

tor1

C2

45.67.228.131:9603

Extracted

Family

redline

Botnet

sup

C2

23.83.133.165:12639

Targets

    • Target

      41c114e52de616504df1cd4137de1ce8.exe

    • Size

      187KB

    • MD5

      41c114e52de616504df1cd4137de1ce8

    • SHA1

      0579cc93cf8e6dd57e878da1f520499e4a77cf5a

    • SHA256

      556c6ec49b714eb7bf9b3d816fd18a8962fb6be756224aa4cf8614e5bd7f0738

    • SHA512

      4dd0a49f9e5481cb3d3644604e896bc338021968fbae72d426ec67643759b644cba0f4dac81c7c3fef9a05aeca58171f11d790dc5ef76797bbe99a2e57900634

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks