General

  • Target

    C4Loader.exe

  • Size

    126KB

  • Sample

    221107-kh6cssafcl

  • MD5

    e755b7599fc8b631b954d2d80a3246cb

  • SHA1

    0f557b0b356fc7b5462d252cccd19f93b2cc696a

  • SHA256

    4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d

  • SHA512

    426bec87d3c521b99d34813d9953aa7eaebbbebc155056e3fe53f893c8fca7a9ee1c4657c192472c82323470388f1238a994ac6fb54ad3d7f2e42355229e2a7c

  • SSDEEP

    3072:AWrLpduTeRflPTgZv6NV5GqZdPAxusJt6fgMvXM0jJ5Y7eyFNeVmlUOL18c:AUL4YpTV4mAxh6fDyFxL18c

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes
  • auth_value

    3a5bb0917495b4312d052a0b8977d2bb

Targets

    • Target

      C4Loader.exe

    • Size

      126KB

    • MD5

      e755b7599fc8b631b954d2d80a3246cb

    • SHA1

      0f557b0b356fc7b5462d252cccd19f93b2cc696a

    • SHA256

      4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d

    • SHA512

      426bec87d3c521b99d34813d9953aa7eaebbbebc155056e3fe53f893c8fca7a9ee1c4657c192472c82323470388f1238a994ac6fb54ad3d7f2e42355229e2a7c

    • SSDEEP

      3072:AWrLpduTeRflPTgZv6NV5GqZdPAxusJt6fgMvXM0jJ5Y7eyFNeVmlUOL18c:AUL4YpTV4mAxh6fDyFxL18c

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

2
T1031

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Scripting

1
T1064

Impact

Service Stop

1
T1489

Tasks