General

  • Target

    SecuriteInfo.com.Variant.Tedy.200463.8682.12520.exe

  • Size

    360KB

  • Sample

    220911-yldzlsfhal

  • MD5

    064f03372ad37d439da8156c25025243

  • SHA1

    910682004ea3e063841c06b74a6899363e977eff

  • SHA256

    42faff130fc1df68f42fb26b8e8107123952720564f87d3114286273dc672a7d

  • SHA512

    b12f79fe41692f771d42344a84b03742711cd2fcc28807193e1147a91afe7d64bfb8ed95d8285b5f59d9acc2f2098879ed25ba237c4c89960aa508d0392eb3f0

  • SSDEEP

    6144:7EQoFoqNgtIg2UULBjzunMH/DTN4I02uPuAAa1guT:7VUFitR2UUNOMH0Ru1

Malware Config

Extracted

Family

redline

Botnet

Lyla.11.09

C2

185.215.113.216:21921

Attributes
  • auth_value

    a1e5192e588aa983d678ceb4d6e0d8b5

Targets

    • Target

      SecuriteInfo.com.Variant.Tedy.200463.8682.12520.exe

    • Size

      360KB

    • MD5

      064f03372ad37d439da8156c25025243

    • SHA1

      910682004ea3e063841c06b74a6899363e977eff

    • SHA256

      42faff130fc1df68f42fb26b8e8107123952720564f87d3114286273dc672a7d

    • SHA512

      b12f79fe41692f771d42344a84b03742711cd2fcc28807193e1147a91afe7d64bfb8ed95d8285b5f59d9acc2f2098879ed25ba237c4c89960aa508d0392eb3f0

    • SSDEEP

      6144:7EQoFoqNgtIg2UULBjzunMH/DTN4I02uPuAAa1guT:7VUFitR2UUNOMH0Ru1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks