General

  • Target

    f63f6019c73aa23d701d3ab1e6d89ed8311eb68a316d161cbf62e3b064202b96

  • Size

    686KB

  • Sample

    230328-kkmngahh56

  • MD5

    1da68a46f1aa02cd8c712d29742deef3

  • SHA1

    52fdb2757074c4173c698cb389975bd9b48913b3

  • SHA256

    f63f6019c73aa23d701d3ab1e6d89ed8311eb68a316d161cbf62e3b064202b96

  • SHA512

    ba6e957964e6388271b879262af4524d7fff9370b5301defe2a2c1fbc515ea14a1df4012c432680060fdc87b5c4fca1128f146b9c8b4d397455b3ff41dfb408b

  • SSDEEP

    12288:PMray90ILnQqOGb6yjCHSR5N0sMNMrUTUuXwye5Yfx:FyToGtjC65NpACJuXreWfx

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Targets

    • Target

      f63f6019c73aa23d701d3ab1e6d89ed8311eb68a316d161cbf62e3b064202b96

    • Size

      686KB

    • MD5

      1da68a46f1aa02cd8c712d29742deef3

    • SHA1

      52fdb2757074c4173c698cb389975bd9b48913b3

    • SHA256

      f63f6019c73aa23d701d3ab1e6d89ed8311eb68a316d161cbf62e3b064202b96

    • SHA512

      ba6e957964e6388271b879262af4524d7fff9370b5301defe2a2c1fbc515ea14a1df4012c432680060fdc87b5c4fca1128f146b9c8b4d397455b3ff41dfb408b

    • SSDEEP

      12288:PMray90ILnQqOGb6yjCHSR5N0sMNMrUTUuXwye5Yfx:FyToGtjC65NpACJuXreWfx

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks