General

  • Target

    ce25050ecae70706d0e7b33d5304ab6b.exe

  • Size

    659KB

  • Sample

    210608-3qef7z3z1e

  • MD5

    ce25050ecae70706d0e7b33d5304ab6b

  • SHA1

    f1cb237e6daa21a01f9a6492495b8370625ef9f5

  • SHA256

    acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0

  • SHA512

    2be1cef57dff89191d7a4cb1b7b93a6036f6e7a2421568e318bf0103230664fbc690a0acb5c4708e9f7a7ba82d85559f0c6fe014c0dc1f8501d6b96099e3db2d

Malware Config

Extracted

Family

redline

Botnet

MIX 08.06

C2

185.215.113.17:18597

Targets

    • Target

      ce25050ecae70706d0e7b33d5304ab6b.exe

    • Size

      659KB

    • MD5

      ce25050ecae70706d0e7b33d5304ab6b

    • SHA1

      f1cb237e6daa21a01f9a6492495b8370625ef9f5

    • SHA256

      acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0

    • SHA512

      2be1cef57dff89191d7a4cb1b7b93a6036f6e7a2421568e318bf0103230664fbc690a0acb5c4708e9f7a7ba82d85559f0c6fe014c0dc1f8501d6b96099e3db2d

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks