General

  • Target

    3b6724f0782fb7defaad3f17b96a80cae307d230

  • Size

    361KB

  • Sample

    230127-p9rqyaba69

  • MD5

    5ad8cef52f1794c265593cba1ea16791

  • SHA1

    3b6724f0782fb7defaad3f17b96a80cae307d230

  • SHA256

    47db42f2fea21e2ed1d3957a40e3c3617083483d27c2ec540492a1d6623884f5

  • SHA512

    b2482be6f58298395710aac1ea159054e95b6e052de604a1901939f7125b5c3aa7eee964d3225d8d6dd7677cf38a5fcd2699365cc7b5534bc8ff70b3ba845999

  • SSDEEP

    6144:HOVW5gGzs7XbM+eg9m+UIuAQjXQ680zRQvPvijCL8LJuxrP8YAOm7hMb+Xc:uVWJzs7XAgs+UIuA6Xv80zunvfLXAMbD

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes
  • auth_value

    3a5bb0917495b4312d052a0b8977d2bb

Targets

    • Target

      3b6724f0782fb7defaad3f17b96a80cae307d230

    • Size

      361KB

    • MD5

      5ad8cef52f1794c265593cba1ea16791

    • SHA1

      3b6724f0782fb7defaad3f17b96a80cae307d230

    • SHA256

      47db42f2fea21e2ed1d3957a40e3c3617083483d27c2ec540492a1d6623884f5

    • SHA512

      b2482be6f58298395710aac1ea159054e95b6e052de604a1901939f7125b5c3aa7eee964d3225d8d6dd7677cf38a5fcd2699365cc7b5534bc8ff70b3ba845999

    • SSDEEP

      6144:HOVW5gGzs7XbM+eg9m+UIuAQjXQ680zRQvPvijCL8LJuxrP8YAOm7hMb+Xc:uVWJzs7XAgs+UIuA6Xv80zunvfLXAMbD

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks