Overview

overview

10

Static

static

3

6c02ed8f9c...26.exe

windows7-x64

10

6c02ed8f9c...26.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab0329051619813892e90435ee560c28.bin

  • Size

    1.1MB

  • Sample

    230515-b5jymsgf4x

  • MD5

    a9e30d21ccad08926595300d60a6d277

  • SHA1

    e9c9ba5360a4593fe19a3fd8b6d92c3ad0e94cf8

  • SHA256

    185df38a950efcee0c890282a2b8a7df3b442b44eb08b7326c54148a09ad839a

  • SHA512

    a1fe8505ba2282ff00675a9a746087e133532a693fff1ebf93a5499b3e191113520acd1934652c78d8dcaa930f291e6e7020bcbbbc1235667534f61e1cd1d93d

  • SSDEEP

    24576:8W+mD9FOBjCaDtXNz4avL7AzN8bpmuTHJ6:skK+aDJ94a48bp6

Score
10/10
redlinemotorterradiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

motor

C2

185.161.248.75:4132

Attributes
  • auth_value

    ec19ab9989a783983c5cbbc0e5ac4a5f

Extracted

Family

redline

Botnet

terra

C2

185.161.248.75:4132

Attributes
  • auth_value

    60df3f535f8aa4e264f78041983592d2

Targets

    • Target

      6c02ed8f9c91ba7c3c9be0ba62744e37e52c290c5c054fd3bb62ceb6834c2226.exe

    • Size

      1.1MB

    • MD5

      ab0329051619813892e90435ee560c28

    • SHA1

      66d2e4c95a9a9ea429ab024b3cb01d9d699809ee

    • SHA256

      6c02ed8f9c91ba7c3c9be0ba62744e37e52c290c5c054fd3bb62ceb6834c2226

    • SHA512

      15cb22ab26fc97504481a5c15327d7ace06de6a535ff372d55020c628dcb488367bfc8ea48fa13b3bd9b3a727fb4d919409a0afc26e4aa562d508356f1955be6

    • SSDEEP

      24576:syoNU/1F6A80OvHGsMt90d8BgBRUFjCJlGlNfcIdCWt7/+:bOU9FDXO/Gs54gbEjCJlqfcGCs

    Score
    10/10
    redlinemotorterradiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks