Overview

overview

10

Static

static

8f53ac20b7...1b.exe

windows7-x64

10

8f53ac20b7...1b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b

  • Size

    413KB

  • Sample

    220808-kdkwasgacl

  • MD5

    127768b759970c351b9d9947c97a3c83

  • SHA1

    5c7cca03e0cd8af8a5bb2c70a48f917965ae9514

  • SHA256

    8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b

  • SHA512

    b324d7ff35c2ab81ccee687d32af9e9f30b2a75182a5cf9244061069ffcf3718df5c7b06c40819e772309f6aaba2cfe987e13c821c85471c6bb1a437fa06dffd

Score
10/10
colibriredline1build1discoveryinfostealerloaderspywarestealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

207.32.218.115:4162

Attributes
  • auth_value

    58f3be996f732af4b1f9624e1a783249

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b

    • Size

      413KB

    • MD5

      127768b759970c351b9d9947c97a3c83

    • SHA1

      5c7cca03e0cd8af8a5bb2c70a48f917965ae9514

    • SHA256

      8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b

    • SHA512

      b324d7ff35c2ab81ccee687d32af9e9f30b2a75182a5cf9244061069ffcf3718df5c7b06c40819e772309f6aaba2cfe987e13c821c85471c6bb1a437fa06dffd

    Score
    10/10
    redline1discoveryinfostealerspywarestealercolibribuild1loader

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks