General

  • Target

    7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e

  • Size

    2MB

  • Sample

    221129-v3eexsdc7w

  • MD5

    923ef6896659d77fff914a9ec8e89fa9

  • SHA1

    4ea7406c2c960f81e4db6e8891d426181692de39

  • SHA256

    7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e

  • SHA512

    95364df4761013aaac4051299566cbb6392cae6136949526f7219660f3461634bda86f469ae0f8d96b209fd0cce83cb4b914998992fca8efa6f8bcd5695db29a

  • SSDEEP

    24576:1RjcXgYLSaH8MlV0/AGQsHE9iWJnVo2FDq6mZC/36Kp/letoreojRqk4vgtYVuQJ:Ljh3E7nVoYDv/3Dpf4qYV

Malware Config

Extracted

Family

redline

Botnet

@P1

C2

193.106.191.138:32796

Attributes
  • auth_value

    54c79ce081122137049ee07c0a2f38ab

Targets

    • Target

      7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e

    • Size

      2MB

    • MD5

      923ef6896659d77fff914a9ec8e89fa9

    • SHA1

      4ea7406c2c960f81e4db6e8891d426181692de39

    • SHA256

      7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e

    • SHA512

      95364df4761013aaac4051299566cbb6392cae6136949526f7219660f3461634bda86f469ae0f8d96b209fd0cce83cb4b914998992fca8efa6f8bcd5695db29a

    • SSDEEP

      24576:1RjcXgYLSaH8MlV0/AGQsHE9iWJnVo2FDq6mZC/36Kp/letoreojRqk4vgtYVuQJ:Ljh3E7nVoYDv/3Dpf4qYV

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks