General

  • Target

    8f6c7a779aad2fcebfde67b679378445

  • Size

    3MB

  • Sample

    210915-hkr7vaaab3

  • MD5

    8f6c7a779aad2fcebfde67b679378445

  • SHA1

    c2861843b930684f3c15b779e1027ffffe96bcc7

  • SHA256

    7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf

  • SHA512

    cbc525092ac6ec65b64944a1708ff102d2019acbf10ad3739a99cd8bb4892f601535028304e957b10fbae19f2d96d9c2f416cc6c79051d4efe651bc03f78fc34

Malware Config

Extracted

Family

redline

Botnet

Orix1

C2

92.222.145.236:60837

Targets

    • Target

      8f6c7a779aad2fcebfde67b679378445

    • Size

      3MB

    • MD5

      8f6c7a779aad2fcebfde67b679378445

    • SHA1

      c2861843b930684f3c15b779e1027ffffe96bcc7

    • SHA256

      7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf

    • SHA512

      cbc525092ac6ec65b64944a1708ff102d2019acbf10ad3739a99cd8bb4892f601535028304e957b10fbae19f2d96d9c2f416cc6c79051d4efe651bc03f78fc34

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks