General

  • Target

    5102339d0c7798a4b2e76da45ba388fe.exe

  • Size

    393KB

  • Sample

    211123-j3xeyscfd2

  • MD5

    5102339d0c7798a4b2e76da45ba388fe

  • SHA1

    5cc4d9a585e440ba9e432aa513ec12756ffb6694

  • SHA256

    f8b3c35d8acac0edaaf2f294e616a341e60d52e1dea41d0fab08e950ca0ad8ee

  • SHA512

    c129500d17c1e03ed1cdc6c047c93c15bddbba4aa11a46173d351ef06452be9115be85ebdb0215f2fa28d0e1b53a46e238636bd1cd0a4f114a4f7253db36d77e

Malware Config

Extracted

Family

redline

Botnet

wir

C2

45.87.154.220:16714

Targets

    • Target

      5102339d0c7798a4b2e76da45ba388fe.exe

    • Size

      393KB

    • MD5

      5102339d0c7798a4b2e76da45ba388fe

    • SHA1

      5cc4d9a585e440ba9e432aa513ec12756ffb6694

    • SHA256

      f8b3c35d8acac0edaaf2f294e616a341e60d52e1dea41d0fab08e950ca0ad8ee

    • SHA512

      c129500d17c1e03ed1cdc6c047c93c15bddbba4aa11a46173d351ef06452be9115be85ebdb0215f2fa28d0e1b53a46e238636bd1cd0a4f114a4f7253db36d77e

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks