Resubmissions

22-12-2022 00:38

221222-azdc8sdf64 8

04-11-2022 18:34

221104-w73hzsbgal 10

04-11-2022 17:36

221104-v6p1tsbcbp 10

General

  • Target

    7ad55278a8285dace5bb637348e5990c356a7c35bbcb8e2d53fd3dc64573d4c0.zip

  • Size

    110KB

  • Sample

    221104-v6p1tsbcbp

  • MD5

    830ea823d17e0601a60ccf24f6054dba

  • SHA1

    637b659f7494190a4312061c0deeb1dd3d14650c

  • SHA256

    565517ddfa6d09fa094c5dbddfe70447d0fcc0f2dfe66bba5f9f9ef73c47c6d6

  • SHA512

    050eac86b09255048c8124c48517478fecae8d6d2ef7da9186d2723fd2f34ad13e006cd0402ce88c8bbb57cc65c348f6442b848d20c5d3b0a16e795be4ceec3c

  • SSDEEP

    1536:Hm6GWV041X2Y80CsHZ4x/MIGJhzNlMBAKbx7gkslmOPeLIdxrmZ0xhwb7caQG4:LX20CM4xmLlMuwCDwMZOOocLG4

Malware Config

Extracted

Family

redline

Botnet

Nigh

C2

80.66.87.20:80

Attributes
  • auth_value

    dab8506635d1dc134af4ebaedf4404eb

Targets

    • Target

      7ad55278a8285dace5bb637348e5990c356a7c35bbcb8e2d53fd3dc64573d4c0.exe

    • Size

      427KB

    • MD5

      c34729173ecc820eb7674431597d78be

    • SHA1

      884f343876a8bb0ebac63c28191c22c6f69590f8

    • SHA256

      7ad55278a8285dace5bb637348e5990c356a7c35bbcb8e2d53fd3dc64573d4c0

    • SHA512

      f9c93a0c6f55217016fe5ba550e9948662901b9240662708ac93074bf9692427b73ce10864927026b118aeb6622a47cfa04976bbc9b482a31aef21a5c96786a0

    • SSDEEP

      3072:yvGyYiSDnt1Et5CmPo8VGAnxoctr6Byd4TUISI:24UCp6n756BmlI

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks