General

  • Target

    39b141e510460797f4ebca8c32fc87968ffe5d0f525c898eb61d8bbcb279fe5e

  • Size

    664KB

  • Sample

    211125-lrx88aabb7

  • MD5

    286c4fcb0a998f7986b2f5e78a17789d

  • SHA1

    38f1323a0c0cff1f6f69bc03c21736c7d9f14d96

  • SHA256

    39b141e510460797f4ebca8c32fc87968ffe5d0f525c898eb61d8bbcb279fe5e

  • SHA512

    cbf0c3d1c7bb25c945a196527ab866b4f2a3fc735adbac385baaa94c1ed589adfb9f0486977490b6c22eb0bc3886bd8a5e23b30fbde9da9a06ad71ab4980e897

Malware Config

Extracted

Family

redline

Botnet

25.11

C2

185.215.113.17:7700

Targets

    • Target

      39b141e510460797f4ebca8c32fc87968ffe5d0f525c898eb61d8bbcb279fe5e

    • Size

      664KB

    • MD5

      286c4fcb0a998f7986b2f5e78a17789d

    • SHA1

      38f1323a0c0cff1f6f69bc03c21736c7d9f14d96

    • SHA256

      39b141e510460797f4ebca8c32fc87968ffe5d0f525c898eb61d8bbcb279fe5e

    • SHA512

      cbf0c3d1c7bb25c945a196527ab866b4f2a3fc735adbac385baaa94c1ed589adfb9f0486977490b6c22eb0bc3886bd8a5e23b30fbde9da9a06ad71ab4980e897

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks