General

  • Target

    WhatsApp-cleaned.bin.zip

  • Size

    3.6MB

  • Sample

    220922-vl2h5acab4

  • MD5

    77526e613ea288bb1d71984839242425

  • SHA1

    358c9deda98ef5c705447d6272711a7f23860a59

  • SHA256

    253dac045440d4f57c049b87c90f3665c7bb26f8822e71d2b512f4b7f31fc3c0

  • SHA512

    909566f561c332c982df8fbb7fc2f1734eeac7741685948bc67ca9a8ba2e1c93419ceae15775fff6e45e0af24c98e507d5e8b54578a22bc7961f25c1ed7d00e7

  • SSDEEP

    98304:bVMx9l4O6n0g0tvKmzqdpUV901+ShY5Bk1NtVlB:Cp4O6nKzk5hkWvt7B

Malware Config

Extracted

Family

redline

Botnet

ws-19

C2

38.91.100.57:32750

Attributes
  • auth_value

    b8974207e31b05e60d39e04eba8eeb0b

Targets

    • Target

      WhatsApp-cleaned.bin

    • Size

      3.9MB

    • MD5

      eb98e1dcc374d67e71a85ecc848034ec

    • SHA1

      002409d45df360fb9902fb60bb316a863c735aa2

    • SHA256

      078bbd30cad5587f8dcde105e04046cc56f8d3cef527993faec4341920e6a8eb

    • SHA512

      1f168da8f33084c04d7963528bd29fcd81cb6b7e63534096053b1726ebd33b417f4089c16884e1e9d6e4a055c298ccea1f0d22f7970ff951d63efcd4e7f8b76d

    • SSDEEP

      98304:oCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJ:o2qM+idivVNKbZfREVtc0PJ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks