General

  • Target

    c12095b5e77be004fd37dfa50785f6578f07b702e681d751ae050be5ede8e5b7

  • Size

    258KB

  • Sample

    221112-vsr82agg68

  • MD5

    43d67143a8a8199ad104cee9e8005968

  • SHA1

    067642d532aaa2e4ea26e8ad121f31db2e5a7c7b

  • SHA256

    c12095b5e77be004fd37dfa50785f6578f07b702e681d751ae050be5ede8e5b7

  • SHA512

    1152a47384612008d402f10292eb32acc7819c0e780bb8ec85570993a47e1358b99929a1ceb80e18189daab734fe6d7956f0b42bf7f2ef70dc38bcc6fecfee0c

  • SSDEEP

    6144:lN2bVLr9JgZkzllVBqtUIfMYmtJZTy2fqwW:lN25f9JgM7VBSUIfmtLG2fqz

Malware Config

Extracted

Family

redline

Botnet

boy

C2

77.73.134.241:4691

Attributes
  • auth_value

    a91fa8cc2cfaefc42a23c03faef44bd3

Targets

    • Target

      c12095b5e77be004fd37dfa50785f6578f07b702e681d751ae050be5ede8e5b7

    • Size

      258KB

    • MD5

      43d67143a8a8199ad104cee9e8005968

    • SHA1

      067642d532aaa2e4ea26e8ad121f31db2e5a7c7b

    • SHA256

      c12095b5e77be004fd37dfa50785f6578f07b702e681d751ae050be5ede8e5b7

    • SHA512

      1152a47384612008d402f10292eb32acc7819c0e780bb8ec85570993a47e1358b99929a1ceb80e18189daab734fe6d7956f0b42bf7f2ef70dc38bcc6fecfee0c

    • SSDEEP

      6144:lN2bVLr9JgZkzllVBqtUIfMYmtJZTy2fqwW:lN25f9JgM7VBSUIfmtLG2fqz

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks