Overview

overview

10

Static

static

b899825100...8e.exe

windows7-x64

10

b899825100...8e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b89982510003a83b72e023cefc4edd8e.exe

  • Size

    1.9MB

  • Sample

    230103-cl9wdshd53

  • MD5

    b89982510003a83b72e023cefc4edd8e

  • SHA1

    b97b061a10191eb3ce6382b6ce55b5bc0b3108fc

  • SHA256

    15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd

  • SHA512

    71fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5

  • SSDEEP

    49152:V5Ov3R+uH6r5eKowZO1Oz3tLcmkDLLEYzdGPET:V5Gh+iOz3tLwnRGi

Score
10/10
redlinelogsdiller cloud (telegram: @logsdillabot)socicalbotinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

51.210.137.6:47909

Attributes
  • auth_value

    c2955ed3813a798683a185a82e949f88

Extracted

Family

redline

Botnet

socicalbot

C2

149.28.205.74:2470

Attributes
  • auth_value

    9c51f0d7102febd61d441fffb9c4bb47

Targets

    • Target

      b89982510003a83b72e023cefc4edd8e.exe

    • Size

      1.9MB

    • MD5

      b89982510003a83b72e023cefc4edd8e

    • SHA1

      b97b061a10191eb3ce6382b6ce55b5bc0b3108fc

    • SHA256

      15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd

    • SHA512

      71fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5

    • SSDEEP

      49152:V5Ov3R+uH6r5eKowZO1Oz3tLcmkDLLEYzdGPET:V5Gh+iOz3tLwnRGi

    Score
    10/10
    redlinelogsdiller cloud (telegram: @logsdillabot)socicalbotinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks