General

  • Target

    18696ad36e07caecddafeacb0da10199f50acc2ac45fb3531ba31aadfa337f0d

  • Size

    1.1MB

  • Sample

    220819-faegwsgdhk

  • MD5

    e71eef08b6f562d68d0c827744aec5e4

  • SHA1

    750861ccfb5289a1ef7f916077a55b190cd2031a

  • SHA256

    18696ad36e07caecddafeacb0da10199f50acc2ac45fb3531ba31aadfa337f0d

  • SHA512

    0af29166a46f34f877b80920609ba91047bc9303498d9ec103b766df6b7ba553e69585f64c22da9b865a51fddc5dd37e7d96cb11cf0709bbd30dc103dc2d12df

  • SSDEEP

    24576:pAT8QE+kxVNpJc7YMQGOna45spYKQMtQY/IYHiQqA245zVYjqGSQK:pAI+sNpJc7YMVItmftJ/UQ12qG5SQK

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes
  • auth_value

    d38b30c1ccd6c1e5088d9e5bd9e51b0f

Targets

    • Target

      18696ad36e07caecddafeacb0da10199f50acc2ac45fb3531ba31aadfa337f0d

    • Size

      1.1MB

    • MD5

      e71eef08b6f562d68d0c827744aec5e4

    • SHA1

      750861ccfb5289a1ef7f916077a55b190cd2031a

    • SHA256

      18696ad36e07caecddafeacb0da10199f50acc2ac45fb3531ba31aadfa337f0d

    • SHA512

      0af29166a46f34f877b80920609ba91047bc9303498d9ec103b766df6b7ba553e69585f64c22da9b865a51fddc5dd37e7d96cb11cf0709bbd30dc103dc2d12df

    • SSDEEP

      24576:pAT8QE+kxVNpJc7YMQGOna45spYKQMtQY/IYHiQqA245zVYjqGSQK:pAI+sNpJc7YMVItmftJ/UQ12qG5SQK

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks