General

  • Target

    ca3e3737fe4408b3a4b5362a12ffb59c96f7c8e722d047196b559d7f1bd0debb

  • Size

    2.4MB

  • Sample

    220705-vhj5nsdaa8

  • MD5

    6fd9f3590d136a30f43079ffedcc7913

  • SHA1

    ef43a3dcc0664994ccbb4574606a2b783972d744

  • SHA256

    ca3e3737fe4408b3a4b5362a12ffb59c96f7c8e722d047196b559d7f1bd0debb

  • SHA512

    508185655378eec8d1d34fa23dce970907467cee530bb8f6100bbe871320ea2471e24a85f1e001b04301a9a5dbeb7bfad19050d6d3efa4cb2bfb35ef6cc89e4c

Malware Config

Extracted

Family

redline

C2

141.95.140.173:33470

Attributes
  • auth_value

    6d9508e5573e656e0dc3c4c5f8526d8e

Targets

    • Target

      ca3e3737fe4408b3a4b5362a12ffb59c96f7c8e722d047196b559d7f1bd0debb

    • Size

      2.4MB

    • MD5

      6fd9f3590d136a30f43079ffedcc7913

    • SHA1

      ef43a3dcc0664994ccbb4574606a2b783972d744

    • SHA256

      ca3e3737fe4408b3a4b5362a12ffb59c96f7c8e722d047196b559d7f1bd0debb

    • SHA512

      508185655378eec8d1d34fa23dce970907467cee530bb8f6100bbe871320ea2471e24a85f1e001b04301a9a5dbeb7bfad19050d6d3efa4cb2bfb35ef6cc89e4c

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks