Resubmissions

10-05-2021 10:26

210510-51q2zwvjce 10

General

  • Target

    22F9967C010BF3B752D56BCDEE846BF5.exe

  • Size

    612KB

  • Sample

    210510-51q2zwvjce

  • MD5

    22f9967c010bf3b752d56bcdee846bf5

  • SHA1

    688b82c1eb648ee5eea04042da253d77c706f945

  • SHA256

    d8a12da66c3b95e1f2dc9c7e5667a5baf7dbdbbaff01f342222dc696c07455fa

  • SHA512

    b4dfd895af0f98de30d6446e847e3451c8d8fa7a6571aaac7db3c0fd40febc982e52035af709db3bba68b0e19037ee71443863b25ed3d5dcc13bb0375d69c3c6

Malware Config

Extracted

Family

redline

Botnet

source1

C2

199.195.251.96:43073

Targets

    • Target

      22F9967C010BF3B752D56BCDEE846BF5.exe

    • Size

      612KB

    • MD5

      22f9967c010bf3b752d56bcdee846bf5

    • SHA1

      688b82c1eb648ee5eea04042da253d77c706f945

    • SHA256

      d8a12da66c3b95e1f2dc9c7e5667a5baf7dbdbbaff01f342222dc696c07455fa

    • SHA512

      b4dfd895af0f98de30d6446e847e3451c8d8fa7a6571aaac7db3c0fd40febc982e52035af709db3bba68b0e19037ee71443863b25ed3d5dcc13bb0375d69c3c6

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks