General

  • Target

    abdc87d538a0da9b573178af23583a23.exe

  • Size

    659KB

  • Sample

    210608-ylhcqtc99n

  • MD5

    abdc87d538a0da9b573178af23583a23

  • SHA1

    a3c1f31a926fe70819efa34315c37c18f208aeec

  • SHA256

    5508703e8970c1194a7dfe14dd08d7a931c4cee1e7d358e481d123cd79996585

  • SHA512

    011dcb3f97c67da98b96d2765b071bb33956c82c871dbba61953039dfa3535e41a2727456b14159cf6371b4dfe0d3f88ad155dd05f4cfd080dcd3bf1d3f291e5

Malware Config

Extracted

Family

redline

Botnet

MIX 08.06

C2

185.215.113.17:18597

Targets

    • Target

      abdc87d538a0da9b573178af23583a23.exe

    • Size

      659KB

    • MD5

      abdc87d538a0da9b573178af23583a23

    • SHA1

      a3c1f31a926fe70819efa34315c37c18f208aeec

    • SHA256

      5508703e8970c1194a7dfe14dd08d7a931c4cee1e7d358e481d123cd79996585

    • SHA512

      011dcb3f97c67da98b96d2765b071bb33956c82c871dbba61953039dfa3535e41a2727456b14159cf6371b4dfe0d3f88ad155dd05f4cfd080dcd3bf1d3f291e5

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks