General

  • Target

    b1fdc6053fae4505c4ffd283e3b0fd7c2f932f2669adff9bc1eeadb811ed8bf3

  • Size

    129KB

  • Sample

    220927-cn4r6acch2

  • MD5

    b7b012979d3272ef086a5defd776670c

  • SHA1

    189bfd3e76632c0383bad3b1f0729c8372ec1feb

  • SHA256

    b1fdc6053fae4505c4ffd283e3b0fd7c2f932f2669adff9bc1eeadb811ed8bf3

  • SHA512

    058f247b5ae03ee97e79574e22b1943a3d490b009f1acaa71cbd03c6b56d9a1a7b89650413bf5507502674801988f0e3583e8b705ccbfa735f8188210d9bada2

Malware Config

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
auth_value
7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

redline

Botnet

11

C2

77.73.134.27:7161

Attributes
auth_value
e6aadafed1fda7723d7655a5894828d2

Extracted

Family

redline

Botnet

install

C2

212.8.244.233:43690

Attributes
auth_value
cbce7277fef2185d93b8332df3940ad5

Targets

    • Target

      b1fdc6053fae4505c4ffd283e3b0fd7c2f932f2669adff9bc1eeadb811ed8bf3

    • Size

      129KB

    • MD5

      b7b012979d3272ef086a5defd776670c

    • SHA1

      189bfd3e76632c0383bad3b1f0729c8372ec1feb

    • SHA256

      b1fdc6053fae4505c4ffd283e3b0fd7c2f932f2669adff9bc1eeadb811ed8bf3

    • SHA512

      058f247b5ae03ee97e79574e22b1943a3d490b009f1acaa71cbd03c6b56d9a1a7b89650413bf5507502674801988f0e3583e8b705ccbfa735f8188210d9bada2

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation