redline

General

Target

F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
Size

4.1MB
Sample

221020-j29nwschan
MD5

803238fd75925bebb2d385b7c472b8f7
SHA1

0f06400fd1e6e0003e90e6e289ef53b968ddb6dd
SHA256

f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c
SHA512

ceab74a27e52e29574a14b0ca0e66cb2fae8a6e0d6bb7a8f89aa7a66d5a918ba23bf3ae73cc1e5c00bb8c031ad6465208b6d3d40c07df882a681de7b46c692f9
SSDEEP

98304:vFEn+sPuptl3GCXOStfnCKWdZkkby1/++UIAr:vREupr/XO+CDdZPby1/ZUIe

Score

10^/10

Malware Config

Extracted

Family

redline

C2

45.87.155.189:20856

Attributes

auth_value
ac64e5ead391346e804f0d9ec2f18faa

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://files.catbox.moe/3pwn9k.jpg

Extracted

Family

wshrat

C2

http://svchost.ydns.eu:8000

Targets

- Target
  
  F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
- Size
  
  4.1MB
- MD5
  
  803238fd75925bebb2d385b7c472b8f7
- SHA1
  
  0f06400fd1e6e0003e90e6e289ef53b968ddb6dd
- SHA256
  
  f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c
- SHA512
  
  ceab74a27e52e29574a14b0ca0e66cb2fae8a6e0d6bb7a8f89aa7a66d5a918ba23bf3ae73cc1e5c00bb8c031ad6465208b6d3d40c07df882a681de7b46c692f9
- SSDEEP
  
  98304:vFEn+sPuptl3GCXOStfnCKWdZkkby1/++UIAr:vREupr/XO+CDdZPby1/ZUIe
Score

10^/10

redline strrat wshrat infostealer persistence stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

RedLine payload

STRRAT

WSHRAT

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2