General

  • Target

    MVPInstaller.exe

  • Size

    255KB

  • Sample

    220429-qee94aaeg4

  • MD5

    883eb374a6710283bab49bd840d911c7

  • SHA1

    29416739657f2d2b7a900dca6ddeda755852818e

  • SHA256

    24bde190edd5fda4b47d376abef29d385d655c11ccfdeb314ffced065675cad4

  • SHA512

    b2a159e495624cee478be7d3ff409c9d89eb6e8cb021904ab302df4910874013a305ea10100fae12685d8fc0694d84c553e4f61a194498fd0d5ee2bf6cc5527d

Malware Config

Extracted

Family

redline

Botnet

1

C2

116.202.19.253:30602

Attributes
auth_value
da0d7d77d8ec04c55cc5ace3d9113a5c

Targets

    • Target

      MVPInstaller.exe

    • Size

      255KB

    • MD5

      883eb374a6710283bab49bd840d911c7

    • SHA1

      29416739657f2d2b7a900dca6ddeda755852818e

    • SHA256

      24bde190edd5fda4b47d376abef29d385d655c11ccfdeb314ffced065675cad4

    • SHA512

      b2a159e495624cee478be7d3ff409c9d89eb6e8cb021904ab302df4910874013a305ea10100fae12685d8fc0694d84c553e4f61a194498fd0d5ee2bf6cc5527d

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Discovery

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation