General

  • Target

    5bec9bac97f364b8d47bacab3f34e5ec55011cee30a630cadeb87679f8bad742

  • Size

    638KB

  • Sample

    210831-q6yv1bhzcj

  • MD5

    ef72b031e5d88c9c192384392334e6f3

  • SHA1

    b27b70a7d57aecfc79e6e5fc601d1cfbdd272979

  • SHA256

    5bec9bac97f364b8d47bacab3f34e5ec55011cee30a630cadeb87679f8bad742

  • SHA512

    ae8bd1a217288f95ebc0ec44746701b58e4a725422f65b42aa2e3b0a48d4b46109ea9f4c556e9c8eb3943105a57957463af79b6c5cb358b44da0e68959963a15

Malware Config

Extracted

Family

redline

Botnet

mix31.08

C2

185.215.113.15:6043

Targets

    • Target

      5bec9bac97f364b8d47bacab3f34e5ec55011cee30a630cadeb87679f8bad742

    • Size

      638KB

    • MD5

      ef72b031e5d88c9c192384392334e6f3

    • SHA1

      b27b70a7d57aecfc79e6e5fc601d1cfbdd272979

    • SHA256

      5bec9bac97f364b8d47bacab3f34e5ec55011cee30a630cadeb87679f8bad742

    • SHA512

      ae8bd1a217288f95ebc0ec44746701b58e4a725422f65b42aa2e3b0a48d4b46109ea9f4c556e9c8eb3943105a57957463af79b6c5cb358b44da0e68959963a15

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

      suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks