General

  • Target

    26808e9fe7def427eea65c3f4b1c7838.exe

  • Size

    692KB

  • Sample

    210727-d38g79fwfa

  • MD5

    26808e9fe7def427eea65c3f4b1c7838

  • SHA1

    36b67b700b9c6c84851ee50211e8a3f714ff8412

  • SHA256

    b0c5d41fc112355182211c211ca210868a68c18f199bb7e4cf115650531d19a8

  • SHA512

    c383fa5ba083dc5ec711c2c082f17c68404e695c412521deb2093b88342ab39f7ccd4a1c10b10483272287c0d57aeb862312e94d320064459a842d59dbd1ea1b

Malware Config

Extracted

Family

redline

Botnet

MIX 27.07

C2

185.215.113.17:18597

Targets

    • Target

      26808e9fe7def427eea65c3f4b1c7838.exe

    • Size

      692KB

    • MD5

      26808e9fe7def427eea65c3f4b1c7838

    • SHA1

      36b67b700b9c6c84851ee50211e8a3f714ff8412

    • SHA256

      b0c5d41fc112355182211c211ca210868a68c18f199bb7e4cf115650531d19a8

    • SHA512

      c383fa5ba083dc5ec711c2c082f17c68404e695c412521deb2093b88342ab39f7ccd4a1c10b10483272287c0d57aeb862312e94d320064459a842d59dbd1ea1b

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks