General

  • Target

    fb89d57447db2445a18842b156ede54a

  • Size

    1MB

  • Sample

    220330-z2p79adebq

  • MD5

    fb89d57447db2445a18842b156ede54a

  • SHA1

    69fd005c7f4da455cc16198c308c02597aeed475

  • SHA256

    12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c

  • SHA512

    2dca1e302379ec0543ff4e9f8f4dc18c1ef76b758fb17823f9a6835fbfbcd1afce759719592060db1a95ba3085ed6fbb9678b364342a8b22e2c982928c2e47be

Malware Config

Extracted

Family

redline

Botnet

1

C2

116.202.11.19:24855

Attributes
  • auth_value

    24b5bd5b441536b793bf4e2a4d143416

Targets

    • Target

      fb89d57447db2445a18842b156ede54a

    • Size

      1MB

    • MD5

      fb89d57447db2445a18842b156ede54a

    • SHA1

      69fd005c7f4da455cc16198c308c02597aeed475

    • SHA256

      12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c

    • SHA512

      2dca1e302379ec0543ff4e9f8f4dc18c1ef76b758fb17823f9a6835fbfbcd1afce759719592060db1a95ba3085ed6fbb9678b364342a8b22e2c982928c2e47be

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks