Overview

overview

10

Static

static

Purchaseor...55.xll

windows7_x64

7

Purchaseor...55.xll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PurchaseorderN3455.xll

  • Size

    560KB

  • Sample

    220524-g9glzaffb8

  • MD5

    831052f170e6d906cdc9dbed25ac1f24

  • SHA1

    6b51a5a21dfc8b68ad85ef9a93d815b56b38d058

  • SHA256

    fe0c53f6201f2bc220745f6fd58a8bad448aea825320341389feb6b42cbd76e9

  • SHA512

    a054cff00bc79aef5891c074fbcf9b4954f2295a80fd4a900b133413c38da56d3cf469ec30ac3f6231b57d48f23532b0ea79d790c674ba1bbafe4745cd62ca61

Score
10/10
redlineloveinfostealer

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

redline

Botnet

love

C2

101.99.93.62:43200

Targets

    • Target

      PurchaseorderN3455.xll

    • Size

      560KB

    • MD5

      831052f170e6d906cdc9dbed25ac1f24

    • SHA1

      6b51a5a21dfc8b68ad85ef9a93d815b56b38d058

    • SHA256

      fe0c53f6201f2bc220745f6fd58a8bad448aea825320341389feb6b42cbd76e9

    • SHA512

      a054cff00bc79aef5891c074fbcf9b4954f2295a80fd4a900b133413c38da56d3cf469ec30ac3f6231b57d48f23532b0ea79d790c674ba1bbafe4745cd62ca61

    Score
    10/10
    redlineloveinfostealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks