General

  • Target

    WhatsApp.zip

  • Size

    5.1MB

  • Sample

    220922-wljtrafhdn

  • MD5

    21f4c75dc23cf4a2caa5d73d7ecc5405

  • SHA1

    02428ce8ab84804e9d56f6ea847001611bc67fa4

  • SHA256

    82ea10edc8a126ed26774707ebb6d5ce828268e260549bd75877fe256e06055f

  • SHA512

    eec0704eedd154543f52225c051a2833706d785f85ca192d71a2f5f04010cffc1185c700efde6fbcb0e5729339b9d780891dd5566a6fed1007544b4548489633

  • SSDEEP

    98304:xqb3rxxPd0T23L68nY/Xmuthjv3KdP1Nixptcj/hE9QyNXM:4b3VRm228n+bJv6dP1NiHtcuNXM

Malware Config

Extracted

Family

redline

Botnet

ws-19

C2

38.91.100.57:32750

Attributes
  • auth_value

    b8974207e31b05e60d39e04eba8eeb0b

Targets

    • Target

      WhatsApp/WhatsApp.exe

    • Size

      700.0MB

    • MD5

      76e4e31dd3e40ac6790c83fa48419a55

    • SHA1

      f42363c9ca8325a47efd4f01f177702433d78ff8

    • SHA256

      661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978

    • SHA512

      78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e

    • SSDEEP

      98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks