Resubmissions

23-12-2022 01:19

221223-bpp5qaff23 10

26-11-2022 22:18

221126-17xpysch7s 10

General

  • Target

    498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

  • Size

    1.4MB

  • Sample

    221126-17xpysch7s

  • MD5

    a0ca9d2e6856140493a42a9bfc5f98a2

  • SHA1

    be6e2cf57e66418d578fdad953dcd165967440fb

  • SHA256

    498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

  • SHA512

    fb328a30e525e8ba533a90195c1f20ff30b3ae12b041f6383dfa3b9c385ec8cbcbd5bb8cd8faba4c38fe364375b582c11a270c9419965b4b482526bbf61f6ea3

  • SSDEEP

    24576:nuj0toZN802qWvVmGiDlM7FSaowP8FJJyPYYc4TuDXTMIFkot8erYMS3N:n2ZH2LdmGJFZoU8sFxSDnFkNesMWN

Malware Config

Extracted

Family

redline

Botnet

Main

C2

109.206.243.58:81

Attributes
  • auth_value

    8d4fa15b87cebd556cbb5208a3db0fdc

Targets

    • Target

      498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

    • Size

      1.4MB

    • MD5

      a0ca9d2e6856140493a42a9bfc5f98a2

    • SHA1

      be6e2cf57e66418d578fdad953dcd165967440fb

    • SHA256

      498f54450f4ecc7b85991ecfd6c400e2b879ae5209fffc5792e19f5ec8e4ef53

    • SHA512

      fb328a30e525e8ba533a90195c1f20ff30b3ae12b041f6383dfa3b9c385ec8cbcbd5bb8cd8faba4c38fe364375b582c11a270c9419965b4b482526bbf61f6ea3

    • SSDEEP

      24576:nuj0toZN802qWvVmGiDlM7FSaowP8FJJyPYYc4TuDXTMIFkot8erYMS3N:n2ZH2LdmGJFZoU8sFxSDnFkNesMWN

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks