General

  • Target

    40cafffb20e76da2090434720a692d8d.exe

  • Size

    129KB

  • Sample

    220927-eshftscdg6

  • MD5

    40cafffb20e76da2090434720a692d8d

  • SHA1

    331a58ae824e22e444056fab9769f14db1eecc4c

  • SHA256

    08415e962db965deaa4e02ecf2e198942100c56b5835e9298242da837b585b69

  • SHA512

    ce479e46e4696461eaabbddcace3ad51581381762b04fd6bdce44285af5304de2382a1c2ed787d2c422204bcd4a978fc5e7eece1f8aeed78eaee0da314d45184

  • SSDEEP

    3072:BW+pT85Nk3bm3e8DIok0xTwEE7W/LS6g+lQf5B:BBD6e8y0RHWMLg+

Malware Config

Extracted

Family

redline

Botnet

11

C2

77.73.134.27:7161

Attributes
  • auth_value

    e6aadafed1fda7723d7655a5894828d2

Extracted

Family

redline

Botnet

install

C2

212.8.244.233:43690

Attributes
  • auth_value

    cbce7277fef2185d93b8332df3940ad5

Targets

    • Target

      40cafffb20e76da2090434720a692d8d.exe

    • Size

      129KB

    • MD5

      40cafffb20e76da2090434720a692d8d

    • SHA1

      331a58ae824e22e444056fab9769f14db1eecc4c

    • SHA256

      08415e962db965deaa4e02ecf2e198942100c56b5835e9298242da837b585b69

    • SHA512

      ce479e46e4696461eaabbddcace3ad51581381762b04fd6bdce44285af5304de2382a1c2ed787d2c422204bcd4a978fc5e7eece1f8aeed78eaee0da314d45184

    • SSDEEP

      3072:BW+pT85Nk3bm3e8DIok0xTwEE7W/LS6g+lQf5B:BBD6e8y0RHWMLg+

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks