General

  • Target

    1.exeoibzrmxk

  • Size

    4.5MB

  • Sample

    220416-f5pw4sehh5

  • MD5

    f556df38b1abf7c5ef71b6bc040bfe93

  • SHA1

    64a174173f3e4c46b8db36fa04f076dca5a3aac7

  • SHA256

    60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a

  • SHA512

    0a74598fb4b4b256555c0e4b8e7b654cc0fcb6a18c16f9da912eeea4b24d79f66776e3484200277ff9705032ef60afca97639df4a273cedb2729d6dd085b598b

Malware Config

Extracted

Family

redline

C2

104.244.76.137:4487

Attributes
  • auth_value

    67c42657a2dc51f3323efd90a04a2b03

Targets

    • Target

      1.exeoibzrmxk

    • Size

      4.5MB

    • MD5

      f556df38b1abf7c5ef71b6bc040bfe93

    • SHA1

      64a174173f3e4c46b8db36fa04f076dca5a3aac7

    • SHA256

      60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a

    • SHA512

      0a74598fb4b4b256555c0e4b8e7b654cc0fcb6a18c16f9da912eeea4b24d79f66776e3484200277ff9705032ef60afca97639df4a273cedb2729d6dd085b598b

    • PhoenixStealer

      PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks