General

  • Target

    06b37780cb3afdf3fa0f8a238114bd7f.exe

  • Size

    1.2MB

  • Sample

    221114-3sab8aae51

  • MD5

    06b37780cb3afdf3fa0f8a238114bd7f

  • SHA1

    b843dc0253ca495cdd042314fe9031c9cd645350

  • SHA256

    94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900

  • SHA512

    0d3a82b2073856baf9600e1afd7c209de5b25b04f0aa4b07e8ad0675673c409530c5b02d98506d31f6dbb959825932257ab44624d199efac5d7fea6dccf36774

  • SSDEEP

    24576:PR964zGEH9mhMh40EL6pxchdGrg17gDrX/axcT5x/Vx9:J446/ajVB3aU/P9

Malware Config

Extracted

Family

redline

Botnet

2

C2

185.106.93.214:45623

Attributes
  • auth_value

    c270d8603c9a3fa0f5e04bf34055f108

Targets

    • Target

      06b37780cb3afdf3fa0f8a238114bd7f.exe

    • Size

      1.2MB

    • MD5

      06b37780cb3afdf3fa0f8a238114bd7f

    • SHA1

      b843dc0253ca495cdd042314fe9031c9cd645350

    • SHA256

      94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900

    • SHA512

      0d3a82b2073856baf9600e1afd7c209de5b25b04f0aa4b07e8ad0675673c409530c5b02d98506d31f6dbb959825932257ab44624d199efac5d7fea6dccf36774

    • SSDEEP

      24576:PR964zGEH9mhMh40EL6pxchdGrg17gDrX/axcT5x/Vx9:J446/ajVB3aU/P9

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks