Overview

overview

10

Static

static

MicrosoftR...ts.exe

windows7-x64

10

MicrosoftR...ts.exe

windows10-1703-x64

10

MicrosoftR...ts.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eira.zip

  • Size

    1.5MB

  • Sample

    221010-kbrwtsbdbp

  • MD5

    0d6a424f41bfa4d706ff7449859e8862

  • SHA1

    eae88fa09c19ae95915237906d9a6e96fddefb9f

  • SHA256

    43fcbced48b47166f1e3076c6e67a9fa24994777ae13d9420c4865f01292f8b4

  • SHA512

    ad539faec6821994dff9a52d700ecff3393248729a536d6f7c76e03c8062878a5e675449290f72c7cfafd07d98767cda2c3568c2df38b150b35e65ec7ea6b32b

  • SSDEEP

    24576:YwYpkzWoerv77sRJ1YUqxyFFLeRK012zec6G7ozvJW+VtCVDF4YAVI27K66dUls:YwY577sJPLeYsYeOEzvg+raDGYuIRUls

Score
10/10
redline4discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

4

C2

65.108.208.77:7079

Attributes
  • auth_value

    5960e9132cc19aa61f05cfde86bd2272

Targets

    • Target

      MicrosoftRuntimeComponents.exe

    • Size

      833.5MB

    • MD5

      ad71745bcb2bb1d4a79ec5c75062d09b

    • SHA1

      4545aecb1eb4c1a24641512b90b66782fea36fc9

    • SHA256

      a91873b251e1715b1e8b08e11625ff41299101145532ec7d2dfc2a388e3ba7b0

    • SHA512

      47f8bc782f58bcf469dee10ec729e919be561dc21c74231516aca3451b989381ed70b30629575a182a9e4f93f17f085ef468003d2480b003e9ac710af9ec1dfa

    • SSDEEP

      12288:GnjoJLD6/JnWZQzjFeM6DJOjB9sTTHymtrGj2PLpKDqXt1M4fN1rslbEpWxUF3HM:CnYQb6VOOiqE+U4fNRzHOS

    Score
    10/10
    redline4discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks