Overview

overview

10

Static

static

1

MavrodiBlack 2.exe

windows7-x64

5

MavrodiBlack 2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MavrodiBlack 2.exe

  • Size

    592KB

  • Sample

    230516-n6weaaaf65

  • MD5

    a5f8768a97c74ecc4c26c402f2bcef11

  • SHA1

    d234ce957544025614d49e1e18f3bac6352ca994

  • SHA256

    679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c

  • SHA512

    e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009

  • SSDEEP

    6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6

Score
10/10
redlineevasioninfostealerspyware

Malware Config

Extracted

Family

redline

C2

37.220.87.13:48790

Attributes
  • auth_value

    5ccbd06c4978ff4912009e42060b2daf

Targets

    • Target

      MavrodiBlack 2.exe

    • Size

      592KB

    • MD5

      a5f8768a97c74ecc4c26c402f2bcef11

    • SHA1

      d234ce957544025614d49e1e18f3bac6352ca994

    • SHA256

      679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c

    • SHA512

      e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009

    • SSDEEP

      6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6

    Score
    10/10
    redlineevasioninfostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks