General

  • Target

    ac1073c4e4bc3365550ac49b5b0d48008e90feb4c42b6c8516eb5157778dfd98

  • Size

    264KB

  • Sample

    221208-l1r4kace81

  • MD5

    1044304925db70311e495bd6deacd163

  • SHA1

    3c1f6b72ff7b82c876a073b517efdc1ace2acdbf

  • SHA256

    ac1073c4e4bc3365550ac49b5b0d48008e90feb4c42b6c8516eb5157778dfd98

  • SHA512

    b0726dc317e550d7f4f5625250d65ba3d65dd57b4e1744061a7389776243f24ebd0aa715fc28e999082d350a8a84611c3a53094b466b186ef17e24ebd21a56f4

  • SSDEEP

    3072:xZfereYdyP7MVl0Qj5l5Cn1Wv1p7nrpG5TTAsChFR9RTBQgnTLR9OFNxehv:xRcH0z4vj7rpqTcj9kNrxm

Malware Config

Extracted

Family

redline

Botnet

YT

C2

65.21.5.58:48811

Attributes
  • auth_value

    fb878dde7f3b4ad1e1bc26d24db36d28

Targets

    • Target

      ac1073c4e4bc3365550ac49b5b0d48008e90feb4c42b6c8516eb5157778dfd98

    • Size

      264KB

    • MD5

      1044304925db70311e495bd6deacd163

    • SHA1

      3c1f6b72ff7b82c876a073b517efdc1ace2acdbf

    • SHA256

      ac1073c4e4bc3365550ac49b5b0d48008e90feb4c42b6c8516eb5157778dfd98

    • SHA512

      b0726dc317e550d7f4f5625250d65ba3d65dd57b4e1744061a7389776243f24ebd0aa715fc28e999082d350a8a84611c3a53094b466b186ef17e24ebd21a56f4

    • SSDEEP

      3072:xZfereYdyP7MVl0Qj5l5Cn1Wv1p7nrpG5TTAsChFR9RTBQgnTLR9OFNxehv:xRcH0z4vj7rpqTcj9kNrxm

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks