Overview

overview

10

Static

static

QRT/Engine.js

windows7_x64

1

QRT/Engine.js

windows10_x64

1

QRT/Run.exe

windows7_x64

10

QRT/Run.exe

windows10_x64

10

QRT/xNet.dll

windows7_x64

1

QRT/xNet.dll

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QRT.rar

  • Size

    563KB

  • Sample

    210724-7jm1w8h5ce

  • MD5

    23904d4c873b3ea5563baf68231dbbdf

  • SHA1

    93e1c51b401f82d82b59fc27c197a4f39453f470

  • SHA256

    e763077db1f7c1fd044500b89fb1470f841c688f3a6a91a983e4ed32b41cd1da

  • SHA512

    b8675231a27c2c43610b3aea7366b140623bf87a169e7ad6a5cd6608e3f163331034a77aefa570316550c82e3dc28c963882374c092df6925b93b419884f4fb7

Score
10/10
redlinekingdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

king

C2

95.217.123.66:5143

Targets

    • Target

      QRT/Engine.js

    • Size

      870KB

    • MD5

      62ef5e3b94fef67f046b99b587fe013e

    • SHA1

      5f36e3fb609a35f405ade92982b7205111dabc63

    • SHA256

      125949ad84b6dff236614a3ef542f2a814b1024385fa9f9d64eb2403fd4b26fc

    • SHA512

      06654013becdf9e20479bf3140bc57b1dce5ef5d1512749b61539318be00fc384cbb80f0aa3e69b8d9f3fe4cc0e4c08f7504fde6d654b0bc0c2086349cf934fb

    Score
    1/10
    behavioral1behavioral2

    • Target

      QRT/Run.exe

    • Size

      335KB

    • MD5

      773a73b58db42b4a9a401c7e1be205da

    • SHA1

      bde374101e34185608e6c5845494e22144c6954c

    • SHA256

      ce2ff7b57590b7da15183e8906a59c5cc94c786b44b6248c7dbe50dfceb917f2

    • SHA512

      d91999dbdf130b9d44bc2cb0e577974381c288217e49cb062817d7cd22c83e35482d5464f0537652ef44ef4638c509bc566c540893b0383a637e931e043d505e

    Score
    10/10
    redlinekingdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      QRT/xNet.dll

    • Size

      2.9MB

    • MD5

      0a56659cff9731c30ce87968cac0ef23

    • SHA1

      4fdef03ec3da0a74ec89e369df486035a4995c6d

    • SHA256

      ac5f7131a15c02620676ff6dc89ba6485bbe88aadd244d297586b438ce13c811

    • SHA512

      6653a3b51518ec0c611ca8fa639d49747dd8cd03622358f10f48c82b41b6dad840047ed72a09a74ecf94e2ddd5e813bbe76cbdc916d3e5a65d63f816e00f3039

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks