General

  • Target

    952a8f6839d98c1f4e3c26959fe2d2265fa39c1ecbd3ae83b96931e171b08a43

  • Size

    264KB

  • Sample

    221208-fz7vqsca9w

  • MD5

    4f846c930bc2ff3f18a68b2905309451

  • SHA1

    14663cc14ca0fe815a83c2ba01c5b3450c704f2f

  • SHA256

    952a8f6839d98c1f4e3c26959fe2d2265fa39c1ecbd3ae83b96931e171b08a43

  • SHA512

    f8af1e08086c921f5a0e9b6cc9b861c0df9aabc9ed693d2fbfdbe2a39362b336e85cf6830a35d7445ba4154cc0c3e6a9d0ae5b0b3f511324a42282a4dbc4023a

  • SSDEEP

    3072:kZ52A1E7eGlXQj5l5jS6u8WGp+Z0KzscaC25TBQgnTLK2p5wgcNxehv:k3+XEFu8WGEZnocaGBK/Wxm

Malware Config

Extracted

Family

redline

Botnet

YT

C2

65.21.5.58:48811

Attributes
  • auth_value

    fb878dde7f3b4ad1e1bc26d24db36d28

Targets

    • Target

      952a8f6839d98c1f4e3c26959fe2d2265fa39c1ecbd3ae83b96931e171b08a43

    • Size

      264KB

    • MD5

      4f846c930bc2ff3f18a68b2905309451

    • SHA1

      14663cc14ca0fe815a83c2ba01c5b3450c704f2f

    • SHA256

      952a8f6839d98c1f4e3c26959fe2d2265fa39c1ecbd3ae83b96931e171b08a43

    • SHA512

      f8af1e08086c921f5a0e9b6cc9b861c0df9aabc9ed693d2fbfdbe2a39362b336e85cf6830a35d7445ba4154cc0c3e6a9d0ae5b0b3f511324a42282a4dbc4023a

    • SSDEEP

      3072:kZ52A1E7eGlXQj5l5jS6u8WGp+Z0KzscaC25TBQgnTLK2p5wgcNxehv:k3+XEFu8WGEZnocaGBK/Wxm

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks