General

  • Target

    7268e57a354c49482b14d239632cfd73.exe

  • Size

    381KB

  • Sample

    210522-ep9csynfz6

  • MD5

    7268e57a354c49482b14d239632cfd73

  • SHA1

    8d42017b64c9d4060c56f5916bd70c6f42515d13

  • SHA256

    a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d

  • SHA512

    e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297

Malware Config

Extracted

Family

redline

Botnet

BBS1

C2

87.251.71.193:80

Targets

    • Target

      7268e57a354c49482b14d239632cfd73.exe

    • Size

      381KB

    • MD5

      7268e57a354c49482b14d239632cfd73

    • SHA1

      8d42017b64c9d4060c56f5916bd70c6f42515d13

    • SHA256

      a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d

    • SHA512

      e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks