General

  • Target

    815ffa3c345825b487391c9648074b38e69777766680ac5f6ffd791d6af59f82

  • Size

    565KB

  • Sample

    210915-hjbtgadafj

  • MD5

    2ed0ce61a138cec17c07db3d01e0b440

  • SHA1

    35598a7a32bbdd7f81bbdb90270cd00877ee64f5

  • SHA256

    815ffa3c345825b487391c9648074b38e69777766680ac5f6ffd791d6af59f82

  • SHA512

    47c40b98a583e4b3a352598b6f75c9e0d28e1cbf361346ef102fc01fcc783e778debcf059c46ecb3fca506649f1048e0b5196c99f09d7d09b6c285eca66f1249

Malware Config

Extracted

Family

redline

Botnet

mix15.09

C2

185.215.113.15:6043

Targets

    • Target

      815ffa3c345825b487391c9648074b38e69777766680ac5f6ffd791d6af59f82

    • Size

      565KB

    • MD5

      2ed0ce61a138cec17c07db3d01e0b440

    • SHA1

      35598a7a32bbdd7f81bbdb90270cd00877ee64f5

    • SHA256

      815ffa3c345825b487391c9648074b38e69777766680ac5f6ffd791d6af59f82

    • SHA512

      47c40b98a583e4b3a352598b6f75c9e0d28e1cbf361346ef102fc01fcc783e778debcf059c46ecb3fca506649f1048e0b5196c99f09d7d09b6c285eca66f1249

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

      suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks