General

  • Target

    c5f9f747e5e825d614fe4a88c43e5bcd00338d533ead8a2978c9d1504c5d6be2

  • Size

    1.5MB

  • Sample

    230503-vnszrshd6x

  • MD5

    72de8322e49c3dab41cafd18fdd819e1

  • SHA1

    5e987faa28b8e94b20bfd2d7e6d6588064297599

  • SHA256

    c5f9f747e5e825d614fe4a88c43e5bcd00338d533ead8a2978c9d1504c5d6be2

  • SHA512

    60e97b653b15821be22e3010dc40f9e692e4f3688d9236f40ed386fe384ed6779b3b1d798815c1062eb39d227c9b6bad80f02aaa66e0614e870519c7d59805aa

  • SSDEEP

    24576:kywknATleccaIopl3EI6FpeW+2ga2fCU7tkxdwiKCtzJhGaccWzf:zgTllbIof30yWUaUCU7todth1cN

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes
  • auth_value

    31aef25be0febb8e491794ef7f502c50

Extracted

Family

redline

Botnet

boom

C2

217.196.96.56:4138

Attributes
  • auth_value

    1ce6aebe15bac07a7bc88b114bc49335

Targets

    • Target

      c5f9f747e5e825d614fe4a88c43e5bcd00338d533ead8a2978c9d1504c5d6be2

    • Size

      1.5MB

    • MD5

      72de8322e49c3dab41cafd18fdd819e1

    • SHA1

      5e987faa28b8e94b20bfd2d7e6d6588064297599

    • SHA256

      c5f9f747e5e825d614fe4a88c43e5bcd00338d533ead8a2978c9d1504c5d6be2

    • SHA512

      60e97b653b15821be22e3010dc40f9e692e4f3688d9236f40ed386fe384ed6779b3b1d798815c1062eb39d227c9b6bad80f02aaa66e0614e870519c7d59805aa

    • SSDEEP

      24576:kywknATleccaIopl3EI6FpeW+2ga2fCU7tkxdwiKCtzJhGaccWzf:zgTllbIof30yWUaUCU7todth1cN

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks