General

  • Target

    d6347648b7f19bc3a3e3fd363db648c1cbe81fdeac06e7d394e65b28430a6fa8

  • Size

    544KB

  • Sample

    230323-q8alpsgb32

  • MD5

    8ce05dc0300fa2fa1b0ac61b074f167e

  • SHA1

    99f450e59787527c8e1849ec0f299ab4b2f5fe8a

  • SHA256

    d6347648b7f19bc3a3e3fd363db648c1cbe81fdeac06e7d394e65b28430a6fa8

  • SHA512

    1d284efa8ad6db425c1e3c6a7b6a489d5e53846cdf32c1bfef69d4d8281a0a3640624bdc082d59c5a3d867c8a2e62c7c55f8e1c7c9765f5ee3244d302c8d8c26

  • SSDEEP

    12288:sMruy907yNLwSi+Z+qJ2uW1nXaWHiKxF59Qr7PNqZhN8l6V:ayUyNwJ+Z+qE1XpLk7PNqhH

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Targets

    • Target

      d6347648b7f19bc3a3e3fd363db648c1cbe81fdeac06e7d394e65b28430a6fa8

    • Size

      544KB

    • MD5

      8ce05dc0300fa2fa1b0ac61b074f167e

    • SHA1

      99f450e59787527c8e1849ec0f299ab4b2f5fe8a

    • SHA256

      d6347648b7f19bc3a3e3fd363db648c1cbe81fdeac06e7d394e65b28430a6fa8

    • SHA512

      1d284efa8ad6db425c1e3c6a7b6a489d5e53846cdf32c1bfef69d4d8281a0a3640624bdc082d59c5a3d867c8a2e62c7c55f8e1c7c9765f5ee3244d302c8d8c26

    • SSDEEP

      12288:sMruy907yNLwSi+Z+qJ2uW1nXaWHiKxF59Qr7PNqZhN8l6V:ayUyNwJ+Z+qE1XpLk7PNqhH

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks