General

  • Target

    d9a0e4322b0520cefe7c275e78f0c7d3f28275b2ed479813a5322bdcab92c070

  • Size

    266KB

  • Sample

    220913-cge58aacbj

  • MD5

    95c617f1fbd33f0b67f119299e516452

  • SHA1

    e71afd6fa1ae1887c3e243c224469fa549a137bb

  • SHA256

    d9a0e4322b0520cefe7c275e78f0c7d3f28275b2ed479813a5322bdcab92c070

  • SHA512

    8f4bbc94cb0600576f47b0e7cbb9e0da8dadc3d399aa68786005243d009a86c660db0635ec3b3d3327feccfa935afcd91ffd4f9fd970b4be10628782ba88b800

  • SSDEEP

    6144:1f9aNoiuo9hlzE32QkZw2pK3mpq4mrE6wsdw:JaoiuoPdE32QkZwX3l4mbwMw

Malware Config

Extracted

Family

redline

Botnet

bits

C2

78.153.144.84:27027

Attributes
  • auth_value

    afc8a7054292ba8aa16820b581e6e054

Targets

    • Target

      d9a0e4322b0520cefe7c275e78f0c7d3f28275b2ed479813a5322bdcab92c070

    • Size

      266KB

    • MD5

      95c617f1fbd33f0b67f119299e516452

    • SHA1

      e71afd6fa1ae1887c3e243c224469fa549a137bb

    • SHA256

      d9a0e4322b0520cefe7c275e78f0c7d3f28275b2ed479813a5322bdcab92c070

    • SHA512

      8f4bbc94cb0600576f47b0e7cbb9e0da8dadc3d399aa68786005243d009a86c660db0635ec3b3d3327feccfa935afcd91ffd4f9fd970b4be10628782ba88b800

    • SSDEEP

      6144:1f9aNoiuo9hlzE32QkZw2pK3mpq4mrE6wsdw:JaoiuoPdE32QkZwX3l4mbwMw

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks