Overview

overview

10

Static

static

TRANSFEREN...17 .js

windows7-x64

10

TRANSFEREN...17 .js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TRANSFERENCIA $112987.17 .js

  • Size

    1008B

  • Sample

    220815-s1ydxacecr

  • MD5

    8331b99789a6d4cfa1e291b9539040e8

  • SHA1

    4652be22a71794b44e8acc9b088a80f964eaa7d3

  • SHA256

    c908e8b8b20bc3ae075f660a769d969785a05ab0182238588110479ae829a361

  • SHA512

    aa4f3ca6556ce891232279b266d4ee1133166ac3e243e4d29db5cbf008a841facad1ad59caad0d165331cafc63c21a4d48f25e5b9721cab5bc45156c33754cbd

Score
10/10
redlinefirefoxdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

FireFox

C2

195.178.120.19:24150

Targets

    • Target

      TRANSFERENCIA $112987.17 .js

    • Size

      1008B

    • MD5

      8331b99789a6d4cfa1e291b9539040e8

    • SHA1

      4652be22a71794b44e8acc9b088a80f964eaa7d3

    • SHA256

      c908e8b8b20bc3ae075f660a769d969785a05ab0182238588110479ae829a361

    • SHA512

      aa4f3ca6556ce891232279b266d4ee1133166ac3e243e4d29db5cbf008a841facad1ad59caad0d165331cafc63c21a4d48f25e5b9721cab5bc45156c33754cbd

    Score
    10/10
    redlinefirefoxdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks