General

  • Target

    6014786b41622c5201cdb283d606c70831da00f1d890087b2be68fb4f5515e71

  • Size

    295KB

  • Sample

    220928-mfes6sggak

  • MD5

    86345902abc8dc824054e4072baa1b64

  • SHA1

    0b568cfd96818707561dc4fa9ccb58555bf6547a

  • SHA256

    6014786b41622c5201cdb283d606c70831da00f1d890087b2be68fb4f5515e71

  • SHA512

    1c3113717337af7e0d4382f07ffbb4905e5f8e42c0c598f6e071fdefd7ee28fd0b13f811697e32898b6b25cb78f76bd799a2eb3ed94d037050f1a7010a4db3c4

  • SSDEEP

    6144:ZCi4QZlSKg8dmQ0gVaCIeG0CigavwVfIf:Zc+fg8f0w1IenRf

Malware Config

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
  • auth_value

    7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

redline

Botnet

981705428_pjm12r96

C2

179.43.175.170:38766

Attributes
  • auth_value

    863097aff7128c494bbb9b4c949876ce

Extracted

Family

redline

Botnet

dfg

C2

janolavave.xyz:80

Attributes
  • auth_value

    10f346d0770417f0d92818aeec31441b

Extracted

Family

redline

Botnet

fud

C2

45.15.156.7:48638

Attributes
  • auth_value

    da2faefdcf53c9d85fcbb82d0cbf4876

Targets

    • Target

      6014786b41622c5201cdb283d606c70831da00f1d890087b2be68fb4f5515e71

    • Size

      295KB

    • MD5

      86345902abc8dc824054e4072baa1b64

    • SHA1

      0b568cfd96818707561dc4fa9ccb58555bf6547a

    • SHA256

      6014786b41622c5201cdb283d606c70831da00f1d890087b2be68fb4f5515e71

    • SHA512

      1c3113717337af7e0d4382f07ffbb4905e5f8e42c0c598f6e071fdefd7ee28fd0b13f811697e32898b6b25cb78f76bd799a2eb3ed94d037050f1a7010a4db3c4

    • SSDEEP

      6144:ZCi4QZlSKg8dmQ0gVaCIeG0CigavwVfIf:Zc+fg8f0w1IenRf

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Network Service Scanning

1
T1046

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks