22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f

General
Target

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f

Size

6MB

Sample

220127-web6bshcc8

Score
10 /10
MD5

8f8f140fc190448aa8b9b1e3ae118039

SHA1

37c537bb09d0b2738bf78a83d6ee6d7e78febe17

SHA256

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f

SHA512

c058ddf5a3259cab006d711a4caa6dc244ef1e95d9a2dcdac4c8a07d95c92b77245c3f74b76f497907f9f9fc92d932522bc9ba6cd4682e6e068adaabf0d43680

Malware Config
Targets
Target

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f

MD5

8f8f140fc190448aa8b9b1e3ae118039

Filesize

6MB

Score
10/10
SHA1

37c537bb09d0b2738bf78a83d6ee6d7e78febe17

SHA256

22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f

SHA512

c058ddf5a3259cab006d711a4caa6dc244ef1e95d9a2dcdac4c8a07d95c92b77245c3f74b76f497907f9f9fc92d932522bc9ba6cd4682e6e068adaabf0d43680

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Core1 .NET packer

    Description

    Detects packer/loader used by .NET malware.

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation