General

  • Target

    0x00070000000139ff-155.dat

  • Size

    1MB

  • Sample

    220806-q3s6vsfcem

  • MD5

    e44b6cb9e7111de178fbabf3ac1cba76

  • SHA1

    b15d8d52864a548c42a331a574828824a65763ff

  • SHA256

    c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

  • SHA512

    24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

Malware Config

Extracted

Family

redline

Botnet

install

C2

31.41.244.109:3590

Attributes
auth_value
eb23a0ca5a38a3bf1eb16b2f08524f35

Extracted

Family

nymaim

C2

208.67.104.9

212.192.241.16

Extracted

Family

redline

C2

194.36.177.7:39556

Attributes
auth_value
37f7baab2f9c2105ad605cd792dbb4ca

Extracted

Family

redline

Botnet

ruzki

C2

193.106.191.165:39482

Attributes
auth_value
71a0558c0eea274a5bd617ea85786884

Extracted

Family

redline

Botnet

ruzki 10

C2

185.106.92.235:12654

Attributes
auth_value
bd55c8a28ef77f4992002099164ebe01

Targets

    • Target

      0x00070000000139ff-155.dat

    • Size

      1MB

    • MD5

      e44b6cb9e7111de178fbabf3ac1cba76

    • SHA1

      b15d8d52864a548c42a331a574828824a65763ff

    • SHA256

      c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

    • SHA512

      24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

    • Modifies Windows Defender Real-time Protection settings

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation