General

  • Target

    mixazed_20210722-085032

  • Size

    1.1MB

  • Sample

    210722-nz64n9s91j

  • MD5

    ff6f0a35a5c1198e8b0f72822acf90c0

  • SHA1

    1a26b1307b1a9c4ca699eeffe316ca5ee696b4bd

  • SHA256

    5d3c164a69533582e2fcaaf4d39165a1eeba9c63d1b4a81971e5f2f7ab19513a

  • SHA512

    c1f4469570c7b2a899615a9099f5eecdc284d879d26b11ab599e76257c2c7e823c01d64fb864588ecd98ab2ef610cd3d34a2f4c2e1ccf2378bfdbe49568654b8

Malware Config

Extracted

Family

redline

Botnet

Nerino 10k

C2

salanoajalio.xyz:80

Targets

    • Target

      mixazed_20210722-085032

    • Size

      1.1MB

    • MD5

      ff6f0a35a5c1198e8b0f72822acf90c0

    • SHA1

      1a26b1307b1a9c4ca699eeffe316ca5ee696b4bd

    • SHA256

      5d3c164a69533582e2fcaaf4d39165a1eeba9c63d1b4a81971e5f2f7ab19513a

    • SHA512

      c1f4469570c7b2a899615a9099f5eecdc284d879d26b11ab599e76257c2c7e823c01d64fb864588ecd98ab2ef610cd3d34a2f4c2e1ccf2378bfdbe49568654b8

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

2
T1005

Tasks