General

  • Target

    f2fc6bce6a8e73c80e4135efc97c7ffa9a8144047533419c09e4cc77810e7d54

  • Size

    128KB

  • Sample

    220927-eg3ydsdehl

  • MD5

    b4b83c4e49550c051300ca43fed04c88

  • SHA1

    974457dc2560900c8bfd3bd3245b030b0bacc39b

  • SHA256

    f2fc6bce6a8e73c80e4135efc97c7ffa9a8144047533419c09e4cc77810e7d54

  • SHA512

    514314fe3d7448bf031b61f498fd46197536fbda50980222a8f3309819e52350fe41613da2a0c85de839e5e4b013097380e34cdfe6054b268c3b3776aa1fc53d

Malware Config

Extracted

Family

redline

Botnet

11

C2

77.73.134.27:7161

Attributes
auth_value
e6aadafed1fda7723d7655a5894828d2

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
auth_value
7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

redline

Botnet

install

C2

212.8.244.233:43690

Attributes
auth_value
cbce7277fef2185d93b8332df3940ad5

Targets

    • Target

      f2fc6bce6a8e73c80e4135efc97c7ffa9a8144047533419c09e4cc77810e7d54

    • Size

      128KB

    • MD5

      b4b83c4e49550c051300ca43fed04c88

    • SHA1

      974457dc2560900c8bfd3bd3245b030b0bacc39b

    • SHA256

      f2fc6bce6a8e73c80e4135efc97c7ffa9a8144047533419c09e4cc77810e7d54

    • SHA512

      514314fe3d7448bf031b61f498fd46197536fbda50980222a8f3309819e52350fe41613da2a0c85de839e5e4b013097380e34cdfe6054b268c3b3776aa1fc53d

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation