General

  • Target

    498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

  • Size

    1.4MB

  • Sample

    221124-166w8scf85

  • MD5

    a0ca9d2e6856140493a42a9bfc5f98a2

  • SHA1

    be6e2cf57e66418d578fdad953dcd165967440fb

  • SHA256

    498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

  • SHA512

    fb328a30e525e8ba533a90195c1f20ff30b3ae12b041f6383dfa3b9c385ec8cbcbd5bb8cd8faba4c38fe364375b582c11a270c9419965b4b482526bbf61f6ea3

  • SSDEEP

    24576:nuj0toZN802qWvVmGiDlM7FSaowP8FJJyPYYc4TuDXTMIFkot8erYMS3N:n2ZH2LdmGJFZoU8sFxSDnFkNesMWN

Malware Config

Targets

    • Target

      498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

    • Size

      1.4MB

    • MD5

      a0ca9d2e6856140493a42a9bfc5f98a2

    • SHA1

      be6e2cf57e66418d578fdad953dcd165967440fb

    • SHA256

      498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

    • SHA512

      fb328a30e525e8ba533a90195c1f20ff30b3ae12b041f6383dfa3b9c385ec8cbcbd5bb8cd8faba4c38fe364375b582c11a270c9419965b4b482526bbf61f6ea3

    • SSDEEP

      24576:nuj0toZN802qWvVmGiDlM7FSaowP8FJJyPYYc4TuDXTMIFkot8erYMS3N:n2ZH2LdmGJFZoU8sFxSDnFkNesMWN

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Looks for VirtualBox Guest Additions in registry

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks