General

  • Target

    5abaf638181a8cd6465b0045b9df30dca92db14d889c088ec2e5c9f573cc3062

  • Size

    534KB

  • Sample

    230331-ykjhpsch89

  • MD5

    df2f6f2e1d41fb751c55ad513656effd

  • SHA1

    802114ff4e8984a9a4ccb950e4b31097fe759458

  • SHA256

    5abaf638181a8cd6465b0045b9df30dca92db14d889c088ec2e5c9f573cc3062

  • SHA512

    b714688de8efc06d963ec13d8610c9cc56e3bdb0f46cc03bba6cd6eb40b6900a28d74ae0b3fd0536249f3ac0b046e88e8d77eb719c810d1305f3190e9d8b02d2

  • SSDEEP

    12288:GMrEy90IXtJE8EU5JsatBv7K7O/IObBr1oVlpPDA:eyV9i8EU5Jd/v7KK3bM7VE

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Targets

    • Target

      5abaf638181a8cd6465b0045b9df30dca92db14d889c088ec2e5c9f573cc3062

    • Size

      534KB

    • MD5

      df2f6f2e1d41fb751c55ad513656effd

    • SHA1

      802114ff4e8984a9a4ccb950e4b31097fe759458

    • SHA256

      5abaf638181a8cd6465b0045b9df30dca92db14d889c088ec2e5c9f573cc3062

    • SHA512

      b714688de8efc06d963ec13d8610c9cc56e3bdb0f46cc03bba6cd6eb40b6900a28d74ae0b3fd0536249f3ac0b046e88e8d77eb719c810d1305f3190e9d8b02d2

    • SSDEEP

      12288:GMrEy90IXtJE8EU5JsatBv7K7O/IObBr1oVlpPDA:eyV9i8EU5Jd/v7KK3bM7VE

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks