General

  • Target

    6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4

  • Size

    543KB

  • Sample

    221017-wvzlkaceg9

  • MD5

    86be1fd07bcfd80a12c0bb77b8e6f45d

  • SHA1

    41e7de66d97cda087f4c3ef8920095367c4f9080

  • SHA256

    6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4

  • SHA512

    52550fad0f487c5ab4407bdf659dcb53cb7d1d91a89a4adb8899c67d449417e08053853af1c8d0a2f6147478092f5aebcb3316844dddc71d4e94e5ba8af4e840

  • SSDEEP

    1536:jrae78zjORCDGwfdCSog01313/s5g0VclU+jxeTjs7d59QRr32+P8yYiN:JahKyd2n31E5FOxeTwd0RrXUyY0

Malware Config

Extracted

Family

redline

Botnet

Nigh

C2

80.66.87.20:80

Attributes
  • auth_value

    dab8506635d1dc134af4ebaedf4404eb

Targets

    • Target

      6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4

    • Size

      543KB

    • MD5

      86be1fd07bcfd80a12c0bb77b8e6f45d

    • SHA1

      41e7de66d97cda087f4c3ef8920095367c4f9080

    • SHA256

      6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4

    • SHA512

      52550fad0f487c5ab4407bdf659dcb53cb7d1d91a89a4adb8899c67d449417e08053853af1c8d0a2f6147478092f5aebcb3316844dddc71d4e94e5ba8af4e840

    • SSDEEP

      1536:jrae78zjORCDGwfdCSog01313/s5g0VclU+jxeTjs7d59QRr32+P8yYiN:JahKyd2n31E5FOxeTwd0RrXUyY0

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks