General

  • Target

    186a92f25dbe48f0c288400de870b660f17889d2ec9eee67ddbee4c2f3e40364

  • Size

    153KB

  • Sample

    220926-vjteqsbdc7

  • MD5

    697b2105b4052380ea3ca695acc42c79

  • SHA1

    359d945b4afc9953e797b7861dbebe9e6bf10b40

  • SHA256

    186a92f25dbe48f0c288400de870b660f17889d2ec9eee67ddbee4c2f3e40364

  • SHA512

    28b199679e4022ec5d90923d4b129b9c47ed3deab382c23252b23c353abe50df5092d925af496eac264106e8bc051d24a510f2d1be6a8a1b0f832c285fe62f03

  • SSDEEP

    3072:0GxzTjTc5S5utC0mK45muLR91BHr0v5B:hW40mKArz

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

C2

77.73.134.27:7161

Attributes
  • auth_value

    4b2de03af6b6ac513ac597c2e6c1ad51

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
  • auth_value

    7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

redline

Botnet

installskript

C2

185.224.133.182:16382

Attributes
  • auth_value

    f7f5626eb8e9e541c2d17255f9d8f755

Targets

    • Target

      186a92f25dbe48f0c288400de870b660f17889d2ec9eee67ddbee4c2f3e40364

    • Size

      153KB

    • MD5

      697b2105b4052380ea3ca695acc42c79

    • SHA1

      359d945b4afc9953e797b7861dbebe9e6bf10b40

    • SHA256

      186a92f25dbe48f0c288400de870b660f17889d2ec9eee67ddbee4c2f3e40364

    • SHA512

      28b199679e4022ec5d90923d4b129b9c47ed3deab382c23252b23c353abe50df5092d925af496eac264106e8bc051d24a510f2d1be6a8a1b0f832c285fe62f03

    • SSDEEP

      3072:0GxzTjTc5S5utC0mK45muLR91BHr0v5B:hW40mKArz

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks