Overview

overview

10

Static

static

09637f9108...62.exe

windows7_x64

8

09637f9108...62.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    09637f910840cebb2f1e2524414c8d62.exe

  • Size

    5.9MB

  • Sample

    220216-2aadtsdga9

  • MD5

    09637f910840cebb2f1e2524414c8d62

  • SHA1

    f31516f4e0008dd5dea7f85722488a9db7007e43

  • SHA256

    58484d3924b8c496a925660742b55da793ec4048765edf87c3116e5fb34ebeae

  • SHA512

    9498b20333ca822c88358aa773475bd7604b2e1905417d078014ed41b084e2ab28a1ce197bc4e74aa49b3f2659d051cf803fd98ce9115442654c20b96c837a2c

Score
10/10
redlinefsdfsdtest1discoveryevasioninfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

TEST1

C2

86.107.197.196:63065

Attributes
  • auth_value

    27ffc688a5404c680b9ac629d48e2917

Extracted

Family

redline

Botnet

fsdfsd

C2

86.107.197.196:63065

Attributes
  • auth_value

    b81e14f18d963d6a399900f4e9593719

Targets

    • Target

      09637f910840cebb2f1e2524414c8d62.exe

    • Size

      5.9MB

    • MD5

      09637f910840cebb2f1e2524414c8d62

    • SHA1

      f31516f4e0008dd5dea7f85722488a9db7007e43

    • SHA256

      58484d3924b8c496a925660742b55da793ec4048765edf87c3116e5fb34ebeae

    • SHA512

      9498b20333ca822c88358aa773475bd7604b2e1905417d078014ed41b084e2ab28a1ce197bc4e74aa49b3f2659d051cf803fd98ce9115442654c20b96c837a2c

    Score
    10/10
    evasionpersistencespywarestealerredlinefsdfsdtest1discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks