General

  • Target

    0f825e504d181de431550ae732e1bc49.exe

  • Size

    399KB

  • Sample

    220810-m99weabce7

  • MD5

    0f825e504d181de431550ae732e1bc49

  • SHA1

    829eee9072fec9a8cd750add714b3fde39c4034b

  • SHA256

    1c097578d9587bd8a233bd383ec71123b03c75b582dcc7e8f5c085e05d32cd3d

  • SHA512

    f516b5a6987fcc36bdec18590a2cb8d563afe0bdf20ad641a72a98eb21051a7e62d698000606807dbcd335f1edf0843a0885444bb891068d360bc5ce44cd5ca3

Malware Config

Extracted

Family

redline

Botnet

1

C2

194.156.99.113:46237

Attributes
  • auth_value

    46329fc87924eb6eaf95dbb680b20dbd

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      0f825e504d181de431550ae732e1bc49.exe

    • Size

      399KB

    • MD5

      0f825e504d181de431550ae732e1bc49

    • SHA1

      829eee9072fec9a8cd750add714b3fde39c4034b

    • SHA256

      1c097578d9587bd8a233bd383ec71123b03c75b582dcc7e8f5c085e05d32cd3d

    • SHA512

      f516b5a6987fcc36bdec18590a2cb8d563afe0bdf20ad641a72a98eb21051a7e62d698000606807dbcd335f1edf0843a0885444bb891068d360bc5ce44cd5ca3

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks