Overview

overview

10

Static

static

Purchaseor...21.xll

windows7_x64

10

Purchaseor...21.xll

windows10-2004_x64

1

Purchaseor...55.xll

windows7_x64

7

Purchaseor...55.xll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchaseorder.zip

  • Size

    623KB

  • Sample

    220524-g8wz9sbacn

  • MD5

    fe450ff37d17f0420e4fc2dfdc87acbb

  • SHA1

    84a198d390d29af034ad3f5046033e4bfb2f1f52

  • SHA256

    edd5d8eab7978a0e272cca6f153e2b7e66d0f924925d00bc99af9e7b00ee03fc

  • SHA512

    c894764175e1e56f0c71c7433a35911c14450e3176f632fa306b3446f3fcc4b663f91ffbc5b123b9161b74168414f8a903fafbf7e1b7d3cefa3d79f6f8f85eb6

Score
10/10
redlineloveinfostealer

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Language
xlm4.0
Source

Extracted

Family

redline

Botnet

love

C2

101.99.93.62:43200

Targets

    • Target

      PurchaseorderN2321.xll

    • Size

      642KB

    • MD5

      097f479c059a0457970f5370d1c20607

    • SHA1

      52defc3f3200bad2c288bebbec51900519d94c66

    • SHA256

      bbd9443b33cfc70359018a41bc56f9a04b05c4761070d9ab805879014047374f

    • SHA512

      dbd287780c594cb2dadc34d5362d36ac7d430e25dbc78041564a9efd7ed9d9cc500e20a8720ef2e2a4a7c576856cba69b8c73b0da57df0be7106cafd3b2a6ec9

    Score
    10/10

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      PurchaseorderN3455.xll

    • Size

      560KB

    • MD5

      831052f170e6d906cdc9dbed25ac1f24

    • SHA1

      6b51a5a21dfc8b68ad85ef9a93d815b56b38d058

    • SHA256

      fe0c53f6201f2bc220745f6fd58a8bad448aea825320341389feb6b42cbd76e9

    • SHA512

      a054cff00bc79aef5891c074fbcf9b4954f2295a80fd4a900b133413c38da56d3cf469ec30ac3f6231b57d48f23532b0ea79d790c674ba1bbafe4745cd62ca61

    Score
    10/10
    redlineloveinfostealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks