Overview

overview

10

Static

static

6e13805b2d...ef.exe

windows7-x64

10

6e13805b2d...ef.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6e13805b2d48183881001fb404a52afa668dbb1a88cef.exe

  • Size

    726KB

  • Sample

    220831-hzx2msafer

  • MD5

    77094fdf5ddaa0b50dab615eddb267fa

  • SHA1

    3840de5e390d216614e1af34dd5402bafc739a9b

  • SHA256

    6e13805b2d48183881001fb404a52afa668dbb1a88cef942a44d3870b0e325b0

  • SHA512

    b24a6f39ef67852c1ccfcf252744bff0e9fa83831a59331e44ccde2f703a603247d34b48a9719563b91d88c68ade719de53bf8b395324af71098bf5a68dc3620

  • SSDEEP

    12288:jJmY1wzd5JOYjWyjhI7JQksX1MatKhsBkutBa:vah5JpjWz7JQHX1MatKhSkMB

Score
10/10
colibriredlinebuild1mettop1discoveryinfostealerloaderspywarestealer

Malware Config

Extracted

Family

redline

Botnet

mettop1

C2

xoralessh.xyz:80

Attributes
  • auth_value

    a8206072062ec5262484a012d246646b

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      6e13805b2d48183881001fb404a52afa668dbb1a88cef.exe

    • Size

      726KB

    • MD5

      77094fdf5ddaa0b50dab615eddb267fa

    • SHA1

      3840de5e390d216614e1af34dd5402bafc739a9b

    • SHA256

      6e13805b2d48183881001fb404a52afa668dbb1a88cef942a44d3870b0e325b0

    • SHA512

      b24a6f39ef67852c1ccfcf252744bff0e9fa83831a59331e44ccde2f703a603247d34b48a9719563b91d88c68ade719de53bf8b395324af71098bf5a68dc3620

    • SSDEEP

      12288:jJmY1wzd5JOYjWyjhI7JQksX1MatKhsBkutBa:vah5JpjWz7JQHX1MatKhSkMB

    Score
    10/10
    redlinemettop1discoveryinfostealerspywarestealercolibribuild1loader

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks