General

  • Target

    b30d09ee47eafb236742ad7831adedb8.exe

  • Size

    374KB

  • Sample

    221017-a3jpesadf3

  • MD5

    b30d09ee47eafb236742ad7831adedb8

  • SHA1

    88339c398d0cc01f720f55499dd622ab6b29a561

  • SHA256

    e00e158ba45b49cdfdca374f0f8f64a1df6c3b05f2034ac71ed0f3a1144f2ee2

  • SHA512

    c4c0613e991242ab87cd0d312da42b67b1ef20ebbcebe08fd79aee5ac72b617a3fcb8a97c6cb7254205e6715642039ed557c99bb7637dac2104454b5a5b7f412

  • SSDEEP

    1536:HI47GyTGCwiSnmQUt0LB1c5s5gvubJueyupHgz:HvGyYiSDnt1cW54u9lx1W

Malware Config

Extracted

Family

redline

Botnet

Nigh

C2

80.66.87.20:80

Attributes
  • auth_value

    dab8506635d1dc134af4ebaedf4404eb

Targets

    • Target

      b30d09ee47eafb236742ad7831adedb8.exe

    • Size

      374KB

    • MD5

      b30d09ee47eafb236742ad7831adedb8

    • SHA1

      88339c398d0cc01f720f55499dd622ab6b29a561

    • SHA256

      e00e158ba45b49cdfdca374f0f8f64a1df6c3b05f2034ac71ed0f3a1144f2ee2

    • SHA512

      c4c0613e991242ab87cd0d312da42b67b1ef20ebbcebe08fd79aee5ac72b617a3fcb8a97c6cb7254205e6715642039ed557c99bb7637dac2104454b5a5b7f412

    • SSDEEP

      1536:HI47GyTGCwiSnmQUt0LB1c5s5gvubJueyupHgz:HvGyYiSDnt1cW54u9lx1W

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks