Resubmissions

23-09-2022 06:09

220923-gwlc1ahccl 10

23-09-2022 05:59

220923-gp5s3ahcbm 10

General

  • Target

    WhatsApp.exe

  • Size

    700.0MB

  • Sample

    220923-gwlc1ahccl

  • MD5

    76e4e31dd3e40ac6790c83fa48419a55

  • SHA1

    f42363c9ca8325a47efd4f01f177702433d78ff8

  • SHA256

    661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978

  • SHA512

    78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e

  • SSDEEP

    98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP

Malware Config

Extracted

Family

redline

Botnet

ws-19

C2

38.91.100.57:32750

Attributes
  • auth_value

    b8974207e31b05e60d39e04eba8eeb0b

Targets

    • Target

      WhatsApp.exe

    • Size

      700.0MB

    • MD5

      76e4e31dd3e40ac6790c83fa48419a55

    • SHA1

      f42363c9ca8325a47efd4f01f177702433d78ff8

    • SHA256

      661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978

    • SHA512

      78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e

    • SSDEEP

      98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks