Resubmissions

12-02-2023 15:31

230212-syd79aec7s 10

12-02-2023 15:27

230212-svy39aec6t 10

General

  • Target

    0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88

  • Size

    760KB

  • Sample

    230212-syd79aec7s

  • MD5

    252b8be94ec57f65a21f7eca12f0c01a

  • SHA1

    36b7fd1715d9168f87cc9a2724dc7d62ef0b1e13

  • SHA256

    0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88

  • SHA512

    e5eeeb84bc18195ad44b5e99043372e1e9b6c365b048891bc992d440c5f81d6a5b5064cc2b389dbbe10ecb27cef5f94b44c66bcb807d04a3865a0a35abab485d

  • SSDEEP

    12288:DMr5y909ICfwhIvQT4M+KAygkBBDFVtuv6r1tX+NeM68QrJ4nqPln:SyoICfw2vrM+XohZuiH+NeocJ4q9n

Malware Config

Extracted

Family

redline

Botnet

romik

C2

193.233.20.12:4132

Attributes
  • auth_value

    8fb78d2889ba0ca42678b59b884e88ff

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes
  • auth_value

    352959e3707029296ec94306d74e2334

Extracted

Family

redline

Botnet

crypt1

C2

176.113.115.17:4132

Attributes
  • auth_value

    2e2ca7bbceaa9f98252a6f9fc0e6fa86

Targets

    • Target

      0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88

    • Size

      760KB

    • MD5

      252b8be94ec57f65a21f7eca12f0c01a

    • SHA1

      36b7fd1715d9168f87cc9a2724dc7d62ef0b1e13

    • SHA256

      0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88

    • SHA512

      e5eeeb84bc18195ad44b5e99043372e1e9b6c365b048891bc992d440c5f81d6a5b5064cc2b389dbbe10ecb27cef5f94b44c66bcb807d04a3865a0a35abab485d

    • SSDEEP

      12288:DMr5y909ICfwhIvQT4M+KAygkBBDFVtuv6r1tX+NeM68QrJ4nqPln:SyoICfw2vrM+XohZuiH+NeocJ4q9n

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks