General

  • Target

    e5a423ef32be55b9f547b0231bd974d8d359b45b023851aa6ecc0c64ed3c44cc

  • Size

    1.1MB

  • Sample

    230515-zg3ylsfg7y

  • MD5

    249b689b923497f2acdfe4f8a8e797f4

  • SHA1

    cdc404948e25c74b546ce64322bfad2f16d4667c

  • SHA256

    e5a423ef32be55b9f547b0231bd974d8d359b45b023851aa6ecc0c64ed3c44cc

  • SHA512

    65c0f61764d9d0975ac5e78324b3aeafeba6df062445561e1fa03ee500fda90952553c1cf3f52aef8dceee17c0cb83662d2fe724e8cb44e6b2674a9f459b8da0

  • SSDEEP

    24576:MyiRYW9t8fr6ncIB/S+M9hDY03umkzKT9mLM4AzjIjjzRqtA5Acpp:7iiWzdncwib5oK+EUHRMA5Ac

Malware Config

Extracted

Family

redline

Botnet

laza

C2

185.161.248.25:4132

Attributes
  • auth_value

    d7ccb2ab31ec12673b18474ab15e1a38

Extracted

Family

redline

Botnet

sister

C2

185.161.248.25:4132

Attributes
  • auth_value

    61021810f83e6d5e6ff303aaac03c0e1

Targets

    • Target

      e5a423ef32be55b9f547b0231bd974d8d359b45b023851aa6ecc0c64ed3c44cc

    • Size

      1.1MB

    • MD5

      249b689b923497f2acdfe4f8a8e797f4

    • SHA1

      cdc404948e25c74b546ce64322bfad2f16d4667c

    • SHA256

      e5a423ef32be55b9f547b0231bd974d8d359b45b023851aa6ecc0c64ed3c44cc

    • SHA512

      65c0f61764d9d0975ac5e78324b3aeafeba6df062445561e1fa03ee500fda90952553c1cf3f52aef8dceee17c0cb83662d2fe724e8cb44e6b2674a9f459b8da0

    • SSDEEP

      24576:MyiRYW9t8fr6ncIB/S+M9hDY03umkzKT9mLM4AzjIjjzRqtA5Acpp:7iiWzdncwib5oK+EUHRMA5Ac

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks