General

  • Target

    tmp

  • Size

    2.4MB

  • Sample

    220419-2l5zwaffe3

  • MD5

    d3fa25cd32ce80a0ceadd3fd558a937e

  • SHA1

    97bcc54787d0be7c7a763c115013f4a21d5b6141

  • SHA256

    b91b53a5da645167538324aa1c374ce74cd2eda98158015c70f8283aeaf12176

  • SHA512

    739e87620be35b06bc610a49b0fe781e5deba1938757cc0ca8f28071bac8c14119e85574344b632ab7833580d2a5499129f99ff61638f6307bd9bee2de86ba41

Malware Config

Extracted

Family

redline

Botnet

install

C2

193.150.103.38:40169

Attributes
  • auth_value

    7b121606198c8456e17d49ab8c2d0e42

Targets

    • Target

      tmp

    • Size

      2.4MB

    • MD5

      d3fa25cd32ce80a0ceadd3fd558a937e

    • SHA1

      97bcc54787d0be7c7a763c115013f4a21d5b6141

    • SHA256

      b91b53a5da645167538324aa1c374ce74cd2eda98158015c70f8283aeaf12176

    • SHA512

      739e87620be35b06bc610a49b0fe781e5deba1938757cc0ca8f28071bac8c14119e85574344b632ab7833580d2a5499129f99ff61638f6307bd9bee2de86ba41

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks