General

  • Target

    409a345a063f2fc853b7b45c060970231d9fdc6b45344.exe

  • Size

    1.2MB

  • Sample

    220514-se1bdacgcn

  • MD5

    c52e23f559f027c6af598ff0a4c3497d

  • SHA1

    0e6de0682ae5d89a6530a6c6e03054f5aaeb0662

  • SHA256

    409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021

  • SHA512

    802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428

Malware Config

Extracted

Family

redline

Botnet

test1

C2

23.88.112.179:19536

Attributes
  • auth_value

    68c6114f4d4c471ad88677f54e75676f

Targets

    • Target

      409a345a063f2fc853b7b45c060970231d9fdc6b45344.exe

    • Size

      1.2MB

    • MD5

      c52e23f559f027c6af598ff0a4c3497d

    • SHA1

      0e6de0682ae5d89a6530a6c6e03054f5aaeb0662

    • SHA256

      409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021

    • SHA512

      802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks