General

  • Target

    b73c34e7b239cf0d14810c17fecefbe7

  • Size

    1.4MB

  • Sample

    211111-kap1vagafk

  • MD5

    b73c34e7b239cf0d14810c17fecefbe7

  • SHA1

    9cbc5fb855aa90249a721f8277b88ea84bea00b6

  • SHA256

    4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

  • SHA512

    35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

Malware Config

Extracted

Family

redline

Botnet

1011bankk

C2

charirelay.xyz:80

Targets

    • Target

      b73c34e7b239cf0d14810c17fecefbe7

    • Size

      1.4MB

    • MD5

      b73c34e7b239cf0d14810c17fecefbe7

    • SHA1

      9cbc5fb855aa90249a721f8277b88ea84bea00b6

    • SHA256

      4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

    • SHA512

      35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks