Resubmissions

21-04-2021 12:58

210421-v3kae23t9j 10

General

  • Target

    trainer v5.1.3.rar

  • Size

    1.4MB

  • Sample

    210421-v3kae23t9j

  • MD5

    0374f350b55bdac8c8296b0cae27291c

  • SHA1

    087f0184a9fd68221d26b7a760094a21e8815cc2

  • SHA256

    a813615a6f9835ffdba1d69576deef2dc1fe62a45055901f900c5fc4dd49e61d

  • SHA512

    88143a1b67b1c9f1bb13265793c8a5536c0c7f2ccb67648ca1848c2a69bab2eeef4406fa0706fa58836dea0e968b77989af49d7b025564c9251e2194d5b9d875

Malware Config

Extracted

Family

redline

Botnet

Studio Product

C2

93.114.128.190:49966

Targets

    • Target

      trainer v5.1.3.exe

    • Size

      1.5MB

    • MD5

      d411460e9cf04cd64bdc25345bc9783b

    • SHA1

      3374f053e1b9d40558c65bd363a3bae336a76cc8

    • SHA256

      d47a34d18de0c08fa32f88fabb0123de6521b20f21a955f050c019a89360acb8

    • SHA512

      8b8b8b9054daedd9f39682ab3d44f757f28085e028e4b666bca17a997e61c48b52cadbfefb851da0b4b4d2979ecd399f55e74bc0c9dd29b44cc26022fb26bd07

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

2
T1005

Tasks