General

  • Target

    0b255defd0642880b352d5b4e30c3aaf534619a1ea8d50445c97f1d85d1221aa

  • Size

    534KB

  • Sample

    230331-y1gztadb34

  • MD5

    b6b9af910ff81884f7e1f2c7cee96dad

  • SHA1

    c84ecf2f0e979e33a814bff4859014f99d1b17b3

  • SHA256

    0b255defd0642880b352d5b4e30c3aaf534619a1ea8d50445c97f1d85d1221aa

  • SHA512

    9f28d3144893747e8e7e28c685df1726cfba970201c2ee50f23b295aaa0c6d89c46e361bee3c51b4f7b50d19190b232f0d13a3efb7fb6fcee6a6f5f9f14f75dd

  • SSDEEP

    12288:HMrdy903Tj7N5mFe69/ucILWewBObKr6NhLLT+kImkukp:myo7N5mFX/DepbnNhb0AY

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Targets

    • Target

      0b255defd0642880b352d5b4e30c3aaf534619a1ea8d50445c97f1d85d1221aa

    • Size

      534KB

    • MD5

      b6b9af910ff81884f7e1f2c7cee96dad

    • SHA1

      c84ecf2f0e979e33a814bff4859014f99d1b17b3

    • SHA256

      0b255defd0642880b352d5b4e30c3aaf534619a1ea8d50445c97f1d85d1221aa

    • SHA512

      9f28d3144893747e8e7e28c685df1726cfba970201c2ee50f23b295aaa0c6d89c46e361bee3c51b4f7b50d19190b232f0d13a3efb7fb6fcee6a6f5f9f14f75dd

    • SSDEEP

      12288:HMrdy903Tj7N5mFe69/ucILWewBObKr6NhLLT+kImkukp:myo7N5mFX/DepbnNhb0AY

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks