General

  • Target

    24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.zip

  • Size

    153KB

  • Sample

    210520-qp6rcgd7ja

  • MD5

    a4b08c79caba24ba5324674c50cdf3dc

  • SHA1

    e09ec6694b34b068984725db4624b6a104f2553e

  • SHA256

    8c20d5beb112952d19593b2432d11e3022e69fb5e26ef160ff61b5613760b998

  • SHA512

    b8aea9bf1206c520e053a9cbed09ec4732eb96c61e8458aca4c25cfec7fdd8fc88f696dbe78f74cff3a5f07c6570433353c4772e05eb0dbfdf80f8d0ff863516

Malware Config

Extracted

Family

redline

Botnet

KREATOR

C2

45.140.146.214:20498

Targets

    • Target

      24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003

    • Size

      569KB

    • MD5

      4842156a83bbc8f5b1b46b0e2a597ab4

    • SHA1

      bdda0f367bf93fa75e2bf4b632daab8b615c9c69

    • SHA256

      24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003

    • SHA512

      f0fe9c63fc8fd1333297b76f7f0ed414535ffb4f8ab96906c8207840bf63688d8b6e0de8053e7882eeb616ddf83c8021d5940adc9fcba4e8fd1e342c67343f73

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

Defense Evasion

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks