General

  • Target

    0b757d38d347d1f763f59ab7f0423ae8.exe

  • Size

    406KB

  • Sample

    220605-h9h1gahaa4

  • MD5

    0b757d38d347d1f763f59ab7f0423ae8

  • SHA1

    fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

  • SHA256

    2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

  • SHA512

    0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Malware Config

Extracted

Family

redline

Botnet

X

C2

194.127.179.35:35180

Attributes
  • auth_value

    76e43cff05002e5f6e3334fa7946e404

Targets

    • Target

      0b757d38d347d1f763f59ab7f0423ae8.exe

    • Size

      406KB

    • MD5

      0b757d38d347d1f763f59ab7f0423ae8

    • SHA1

      fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

    • SHA256

      2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

    • SHA512

      0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks