General

  • Target

    Installer.exe

  • Size

    1.6MB

  • Sample

    210730-hfr5fnesaa

  • MD5

    8a1995805ad65999ec546a1074ac9887

  • SHA1

    11d5589ca5ebb127ea57b89ee5da89e0b64fa4c6

  • SHA256

    2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b

  • SHA512

    cad4e187956e4db24d291ea725caf89439440eb97ebe9fa76438b76ada66ecc01a4143bf688c6506ec5148c79338e7f581305d2cb8ad17552c558c62706ae777

Malware Config

Extracted

Family

redline

Botnet

mastif

C2

91.121.146.23:9519

Targets

    • Target

      Installer.exe

    • Size

      1.6MB

    • MD5

      8a1995805ad65999ec546a1074ac9887

    • SHA1

      11d5589ca5ebb127ea57b89ee5da89e0b64fa4c6

    • SHA256

      2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b

    • SHA512

      cad4e187956e4db24d291ea725caf89439440eb97ebe9fa76438b76ada66ecc01a4143bf688c6506ec5148c79338e7f581305d2cb8ad17552c558c62706ae777

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks