General

  • Target

    run.exe

  • Size

    363KB

  • Sample

    220804-re7j1sgfgl

  • MD5

    6a3269d9c04f370d1d2e7384c716d26f

  • SHA1

    860b4afab55af28c0eb99f49c8c7e95b90313f80

  • SHA256

    8006c7dca010f19218147a16ccec14db546027bebba8ce7870e515824f532edf

  • SHA512

    91b20f066964178633691a741e4b0ceae2f7af17d15965b4fbdfeb8ac1defe4964f5172d18f51c3efe9d7b3bab64fccfd51091ddc2616b5a51b500e47daa330c

Malware Config

Extracted

Family

redline

C2

33.43.2.23:45102

Attributes
  • auth_value

    4ecb8f70a78c110cf5e92deaf5855f22

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      run.exe

    • Size

      363KB

    • MD5

      6a3269d9c04f370d1d2e7384c716d26f

    • SHA1

      860b4afab55af28c0eb99f49c8c7e95b90313f80

    • SHA256

      8006c7dca010f19218147a16ccec14db546027bebba8ce7870e515824f532edf

    • SHA512

      91b20f066964178633691a741e4b0ceae2f7af17d15965b4fbdfeb8ac1defe4964f5172d18f51c3efe9d7b3bab64fccfd51091ddc2616b5a51b500e47daa330c

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks