General

  • Target

    file.exe

  • Size

    192KB

  • Sample

    230202-2v37msbh8s

  • MD5

    25035abb52d2f2fb5d2ccf3970b28d4e

  • SHA1

    1755cd24d3a627032c996a5187058d800bafe9c8

  • SHA256

    b9b662268799479031a208b0d144559da6fe242a94b3329fc5b31d66f77900bf

  • SHA512

    14c5bebdd62fcad74c41fee2811ce3917dc6ba9bbdb3c0707f6d14618343f951a25abdb54dfd4c07b3545cefe8b336a835db99a4bf94097ea1dea56ba5819580

  • SSDEEP

    3072:gOhX0N7+f1y5GWp1icKAArDZz4N9GhbkrNEk1ssR84+aX5DD0Wv7VdcX07/:lhEN7+Op0yN90QEDs+9y7L/

Malware Config

Extracted

Family

redline

Botnet

france

C2

193.233.20.5:4136

Attributes
  • auth_value

    827023aa27bcc1cc2382e4d111feec6f

Targets

    • Target

      file.exe

    • Size

      192KB

    • MD5

      25035abb52d2f2fb5d2ccf3970b28d4e

    • SHA1

      1755cd24d3a627032c996a5187058d800bafe9c8

    • SHA256

      b9b662268799479031a208b0d144559da6fe242a94b3329fc5b31d66f77900bf

    • SHA512

      14c5bebdd62fcad74c41fee2811ce3917dc6ba9bbdb3c0707f6d14618343f951a25abdb54dfd4c07b3545cefe8b336a835db99a4bf94097ea1dea56ba5819580

    • SSDEEP

      3072:gOhX0N7+f1y5GWp1icKAArDZz4N9GhbkrNEk1ssR84+aX5DD0Wv7VdcX07/:lhEN7+Op0yN90QEDs+9y7L/

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks