General

  • Target

    c565f71f426a913c738310198a01654ed930dd09

  • Size

    361KB

  • Sample

    230127-qb3afsbb66

  • MD5

    0d356ea4776618c8018b385e50720061

  • SHA1

    c565f71f426a913c738310198a01654ed930dd09

  • SHA256

    b4968767ee9f8c1ae309d7f8a8f4c9cff847a81d46d021608add9de06a4ba965

  • SHA512

    68a17800b2f2fefb5e5f28c2d1639989361f158c53dcc5e7c6ca49b61e7eabc1343b0e91ca8bdba1febfac33cc92ad84a6daf94acae9abf8470a722a91db7268

  • SSDEEP

    6144:/iN9Ozs7npw4ngtJ5kJ+w4UhclWqDzEgvDv8LGB3JBVvidaGExXAO+DzyM7+Hc:/iqzs7nNg35kJ+wJhcgqDzLbvBBxvxXw

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes
  • auth_value

    3a5bb0917495b4312d052a0b8977d2bb

Targets

    • Target

      c565f71f426a913c738310198a01654ed930dd09

    • Size

      361KB

    • MD5

      0d356ea4776618c8018b385e50720061

    • SHA1

      c565f71f426a913c738310198a01654ed930dd09

    • SHA256

      b4968767ee9f8c1ae309d7f8a8f4c9cff847a81d46d021608add9de06a4ba965

    • SHA512

      68a17800b2f2fefb5e5f28c2d1639989361f158c53dcc5e7c6ca49b61e7eabc1343b0e91ca8bdba1febfac33cc92ad84a6daf94acae9abf8470a722a91db7268

    • SSDEEP

      6144:/iN9Ozs7npw4ngtJ5kJ+w4UhclWqDzEgvDv8LGB3JBVvidaGExXAO+DzyM7+Hc:/iqzs7nNg35kJ+wJhcgqDzLbvBBxvxXw

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks