Overview

overview

10

Static

static

Installer/...er.exe

windows10-2004_x64

10

Installer/browser.dll

windows10-2004_x64

1

Installer/...fi.dll

windows10-2004_x64

1

Installer/...xe.dll

windows10-2004_x64

1

Installer/...fi.dll

windows10-2004_x64

1

Installer/...xe.dll

windows10-2004_x64

1

Installer/...32.dll

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    master.zip

  • Size

    3.3MB

  • Sample

    220620-134ygadha6

  • MD5

    b545225ee45209daee6c1e5a24d2fbe4

  • SHA1

    81efd59294d1d14605198a688db777243e9e104d

  • SHA256

    748d8690bbd95248e5ef77961a4baa8c87aa70a38e5fcd465a37b24e65558527

  • SHA512

    7b9da12a92f902cac29cb9720c4217418d02128d917d4028ccbd2b82e487931fc9878ccee023d109ae7bdb9a22413a6746219710edd6d4392f69c1d6110e7663

Score
10/10
netsupportredline777discoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

777

C2

89.22.227.140:31288

Attributes
  • auth_value

    e42115cf07e73321acdde5e388b0aef9

Targets

    • Target

      Installer/Installer.exe

    • Size

      718.2MB

    • MD5

      21789861e186b60def326d7fd6966fb1

    • SHA1

      354987da5189498370577768cc3125f2d2b3167c

    • SHA256

      ccfcbfa79a53af233a5f5fdea50eadd1f4868459cf241790dbbe6704ac054de5

    • SHA512

      9b3f0beeb76011fcdf97e8a934920c7f74f5c3008d76d06f5b8ea20c8bc374305ff1e55b75fb8c6f746f1ca0123cdd61fc971299914524449670d23fd0a26839

    Score
    10/10
    netsupportredline777discoveryinfostealerratspywarestealer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      Installer/browser.dll

    • Size

      132KB

    • MD5

      bc111aadacd0bf59d56547461d13ab6e

    • SHA1

      b9a5440bfacc2584668b20056152c74420a5a4f8

    • SHA256

      91e3619930c29ee4b2683683888ba7ee3cf6b1ddb0c19a14e0880470cbe40ef4

    • SHA512

      b72e65eac7007de85bc83700f34187d0d1dc1ffedae9257388ec1e3c6b1900d33d8483a703216ce940afc8eb63a9a2c3040f02ea3761035969ed5d12fd151bb8

    Score
    1/10
    behavioral2

    • Target

      Installer/en-US/winload.efi.mui

    • Size

      29KB

    • MD5

      1bf80c3bdbe730461d4087438f1f23a0

    • SHA1

      9d445039e300356e34bcfd6feb48f709c0ac59b3

    • SHA256

      648317f6c727a8471c777caba6571a7ea9ff7e943955ef402164cd3e858e5c7d

    • SHA512

      abe3c746204427a99b46bfcd4ba4ca6bd3979480597defb9e51b68d977ba3ee340b19b710ec9d855dcd0b3294d51945d36096f2f4f3630f150106cdea74d0647

    Score
    1/10
    behavioral3

    • Target

      Installer/en-US/winload.exe.mui

    • Size

      29KB

    • MD5

      a2cf47e63d0707e50b009e3a8aaba3c6

    • SHA1

      5087a624d3bd8819f97cd5213a216e9da5c1cce7

    • SHA256

      2927e06045c0e7a87efd7d6060b758918a8b84a5a6022c717c6eb614ba0411df

    • SHA512

      de1b0e6aa5e509fbbdbd6e8e415745cb6d6f302452e5c05f5ef7ab35e3f7cbaf10efd8dc2f127c74b7945db6277d56d6dcc85bd44699df4e8b6425c81bac3eec

    Score
    1/10
    behavioral4

    • Target

      Installer/en-US/winresume.efi.mui

    • Size

      19KB

    • MD5

      ae27112d53e91476a680349e970561c8

    • SHA1

      f8c555f98f036fc23633cf0fb07b194c77b62f59

    • SHA256

      87757a7473668a6b09291db9837ccfaa98312b753c0aa321e285a47e1127df4a

    • SHA512

      925b5b5a224dfed3549211b145cc375e9ffc8c5fe0d5f60cdd039f762609ec7a6193dbbf3655fde7555c10edc3609b6ad572de7d02e6cc2896947965e85d5fa2

    Score
    1/10
    behavioral5

    • Target

      Installer/en-US/winresume.exe.mui

    • Size

      19KB

    • MD5

      658565934325ef437374bfad47189865

    • SHA1

      cd1e618b5a43782648f5ad5d24531ab98e790d40

    • SHA256

      9f16b796395c3b20bbe10743b0e8195378dacb3e29f881f30ac220bf6a670b60

    • SHA512

      79d3c42c848403ceeb162d0e00ee7ec75e5bc19addc606519a616dac4d11e366d09091414df153f637e20e5b4ac30368baebff9f0fb1dfcd00aa0b3fb7ee9ab3

    Score
    1/10
    behavioral6

    • Target

      Installer/ssleay32.dll

    • Size

      481KB

    • MD5

      c22b00e2c376789f4e124f427a130421

    • SHA1

      12866bca9b5c43a0f7f2ca03b2bd6ba3c6bacf00

    • SHA256

      e3f2799537c1de13df20734426c1c3fd0f4b3f8e63019ca9cc2f1ec9b0af1fb1

    • SHA512

      68bdcd406f81c9e35453322004c41fc6f542506e3151fb483008824e523f83c24272feea715a736bbdccbb2b2da077b3b1b7a7f9a012df296e412e88d665b548

    Score
    1/10
    behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks