General

  • Target

    system.zip

  • Size

    10.2MB

  • Sample

    210727-sr2axec1ws

  • MD5

    d0e380eaaa9acbab5a7b46335ca80ff3

  • SHA1

    b58302b536f10ade5b9de0648bcb564421be7195

  • SHA256

    4602481a7b412f265ef10b4199eebdef8035f9ea47870507c53e1be14cd8c36b

  • SHA512

    020afdb29a290256baa99af06b6306754c8102a06a0fd9b429c0cbfd4c92936009990e316e4264e6da2bacf8ec68d2c2406c6024420432aaae4d22d360d99a0f

Malware Config

Extracted

Family

redline

Botnet

@keciler1

C2

dishontesa.xyz:80

Targets

    • Target

      CODUnlockAllTool.exe

    • Size

      365KB

    • MD5

      14c3638c64de46bee97333288e6ffc63

    • SHA1

      b487c650206783a25a5aeeceaf266da8edbb9d77

    • SHA256

      5ebd4e341126782acf0e2ae9878cc590b8e0bb4e4bcaa1cf9d4caedd50819646

    • SHA512

      d3129c607fa276246539358bb592207b05a945738836df85e44f8e8366717ecbddf6ba421ac8e055a406ad93a0391118335fe662b9825c5f36bfa2dba07645e3

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      system.dll

    • Size

      10.3MB

    • MD5

      491bd2e961c6fe528e82baa12c198018

    • SHA1

      3ee364791dac102a4491f0e13a8dfbc5f0ee94a8

    • SHA256

      229b3dfbee8168608f983c089f9d0c07127523859e102d9e1efaac018b5d3650

    • SHA512

      d63dd8ac173ab04cc74c42f17695c75a0d8e81edad53133f1fb63b428e4f480f90767aa515ee9e1be92f3cd4fb30f13b03f8bee57f3bf6b7d21c789515fb3134

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks