General

  • Target

    08415e962db965deaa4e02ecf2e198942100c56b5835e9298242da837b585b69

  • Size

    129KB

  • Sample

    220926-3amvladcdk

  • MD5

    40cafffb20e76da2090434720a692d8d

  • SHA1

    331a58ae824e22e444056fab9769f14db1eecc4c

  • SHA256

    08415e962db965deaa4e02ecf2e198942100c56b5835e9298242da837b585b69

  • SHA512

    ce479e46e4696461eaabbddcace3ad51581381762b04fd6bdce44285af5304de2382a1c2ed787d2c422204bcd4a978fc5e7eece1f8aeed78eaee0da314d45184

Malware Config

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
auth_value
7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

redline

Botnet

11

C2

77.73.134.27:7161

Attributes
auth_value
e6aadafed1fda7723d7655a5894828d2

Extracted

Family

redline

Botnet

install

C2

212.8.244.233:43690

Attributes
auth_value
cbce7277fef2185d93b8332df3940ad5

Targets

    • Target

      08415e962db965deaa4e02ecf2e198942100c56b5835e9298242da837b585b69

    • Size

      129KB

    • MD5

      40cafffb20e76da2090434720a692d8d

    • SHA1

      331a58ae824e22e444056fab9769f14db1eecc4c

    • SHA256

      08415e962db965deaa4e02ecf2e198942100c56b5835e9298242da837b585b69

    • SHA512

      ce479e46e4696461eaabbddcace3ad51581381762b04fd6bdce44285af5304de2382a1c2ed787d2c422204bcd4a978fc5e7eece1f8aeed78eaee0da314d45184

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation