allcome | 463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe | Triage

Sharing

General

Target

463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe
Size

4.5MB
Sample

220219-nxf81aadd3
MD5

22b96b68b4372ff2ce604723e9436963
SHA1

066ff406521cc2f0aed70414ee8d4d7751d0fe2a
SHA256

463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe
SHA512

0ecde5a89dd548cf16867c9a6c66c5b12f2b2e51920c1ab7cc1ff241f69a03116fe011aed2172c00cfe708c77856d5fe19d59b01a3880e3dfe38509a682d8a38

Score

10^/10

allcome redline @zexan infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@Zexan

C2

92.255.85.137:41320

Attributes

auth_value
da8092c88adbe82a93341dec420f0fa7

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/Clipper/configure.php?cf6zrlhn=Rachel

Wallets

DCbpjBAroXBj3jrvq8HRPAKd8wYPnBwwi7

rKewCaU4Q6gqJnb5nJqkDY69QoxHKXAJZi

Xiem2Rw5LULbzv6rM49FqKAKD1nHSxpjxb

TZ3Pn82NBECik8ujtc3Wu5AVsQLCdt7cG1

t1Pxn7QZPAVhrsd2cdPHDEjDR1jtwpoUvbT

GDKPOPZWADWVDB2B743X7Q5QIMXIFJTIJ3K3JTR5P2EKO22GJQRAZRKC

497qdSyfY8t9dYnAGTnk8UigUbUPL4MXTFAxobWPDZ5rReSiVNL22GEGt9ptgNbDbTe3qyj3oRq2LfEYbws8yGqnSjBWHR6

qra53qtr5kvaye7gvf5algrre5h0w6harqxluum6kp

bc1q79xgc502sqzt4qz0jhr7lr7qdxkf2z006gym0l

0X9BD5F03363CA0231A32B3B36AE2CF01623E2D1FE

LcPqsR8yyzukNBgoKrq3pKEXV4rpuMeF91

ronin:09864801afc2b70c960366f4c8ad806fe9d6965d

ltc1qsdn52gjku7sts4r64fyqelqkfm789gvagglnaj

bc1q79xgc502sqzt4qz0jhr7lr7qdxkf2z006gym0l

Targets

- Target
  
  463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe
- Size
  
  4.5MB
- MD5
  
  22b96b68b4372ff2ce604723e9436963
- SHA1
  
  066ff406521cc2f0aed70414ee8d4d7751d0fe2a
- SHA256
  
  463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe
- SHA512
  
  0ecde5a89dd548cf16867c9a6c66c5b12f2b2e51920c1ab7cc1ff241f69a03116fe011aed2172c00cfe708c77856d5fe19d59b01a3880e3dfe38509a682d8a38
Score

10^/10

allcome redline @zexan infostealer persistence spyware stealer
- Allcome
  A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
  stealer allcome
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

allcomeredline@zexaninfostealerpersistencespywarestealer