General

  • Target

    c34729173ecc820eb7674431597d78be.exe

  • Size

    427KB

  • Sample

    221016-gtq6gahab3

  • MD5

    c34729173ecc820eb7674431597d78be

  • SHA1

    884f343876a8bb0ebac63c28191c22c6f69590f8

  • SHA256

    7ad55278a8285dace5bb637348e5990c356a7c35bbcb8e2d53fd3dc64573d4c0

  • SHA512

    f9c93a0c6f55217016fe5ba550e9948662901b9240662708ac93074bf9692427b73ce10864927026b118aeb6622a47cfa04976bbc9b482a31aef21a5c96786a0

  • SSDEEP

    3072:yvGyYiSDnt1Et5CmPo8VGAnxoctr6Byd4TUISI:24UCp6n756BmlI

Malware Config

Extracted

Family

redline

Botnet

Nigh

C2

80.66.87.20:80

Attributes
  • auth_value

    dab8506635d1dc134af4ebaedf4404eb

Targets

    • Target

      c34729173ecc820eb7674431597d78be.exe

    • Size

      427KB

    • MD5

      c34729173ecc820eb7674431597d78be

    • SHA1

      884f343876a8bb0ebac63c28191c22c6f69590f8

    • SHA256

      7ad55278a8285dace5bb637348e5990c356a7c35bbcb8e2d53fd3dc64573d4c0

    • SHA512

      f9c93a0c6f55217016fe5ba550e9948662901b9240662708ac93074bf9692427b73ce10864927026b118aeb6622a47cfa04976bbc9b482a31aef21a5c96786a0

    • SSDEEP

      3072:yvGyYiSDnt1Et5CmPo8VGAnxoctr6Byd4TUISI:24UCp6n756BmlI

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks