General

  • Target

    fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522

  • Size

    1MB

  • Sample

    220516-j14q9aacgj

  • MD5

    6e31d2f2c745b340e02b2e1f9711a715

  • SHA1

    9c99809aa69805f708afb5418b68b430d4087552

  • SHA256

    fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522

  • SHA512

    41694c05606a8585e6fa8e4e5e0672c59ccc096be6dbf0184c4af0e03e145f98101d96d02e3f744f9710cb722906b2afb2b6f90851842cec9eb9912c32fc587c

Malware Config

Extracted

Family

redline

Botnet

Install

C2

176.10.119.117:27038

Attributes
auth_value
701b6467f584b2d5c52fa31ecce6761d

Targets

    • Target

      fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522

    • Size

      1MB

    • MD5

      6e31d2f2c745b340e02b2e1f9711a715

    • SHA1

      9c99809aa69805f708afb5418b68b430d4087552

    • SHA256

      fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522

    • SHA512

      41694c05606a8585e6fa8e4e5e0672c59ccc096be6dbf0184c4af0e03e145f98101d96d02e3f744f9710cb722906b2afb2b6f90851842cec9eb9912c32fc587c

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation