General

  • Target

    18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973

  • Size

    102KB

  • Sample

    220321-s4jd6addh2

  • MD5

    37bd9e1832978b6c5044fdc28694c765

  • SHA1

    a6840f04877701c607d8afa373ee6ec86a4a3975

  • SHA256

    18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973

  • SHA512

    d0e7972c9d67384ac59c76f763a1f8ab3fec921db68beee321cb91e47a35fafa789396baee10c8ade0d1585c450a2f4f5ce2a2b05d1b6466ee985bcfaced79e4

Malware Config

Extracted

Family

redline

Botnet

@JABKA9983

C2

65.108.82.103:15914

Attributes
  • auth_value

    3da459a4f4fcd6fe99288a78b3680c31

Targets

    • Target

      18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973

    • Size

      102KB

    • MD5

      37bd9e1832978b6c5044fdc28694c765

    • SHA1

      a6840f04877701c607d8afa373ee6ec86a4a3975

    • SHA256

      18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973

    • SHA512

      d0e7972c9d67384ac59c76f763a1f8ab3fec921db68beee321cb91e47a35fafa789396baee10c8ade0d1585c450a2f4f5ce2a2b05d1b6466ee985bcfaced79e4

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks