General

  • Target

    c8a414d439f5c449d194cc64370e1b07a2358f83059b0f33b8baf9189a45a9a2

  • Size

    1.0MB

  • Sample

    230519-2cz29sgf64

  • MD5

    00f34f518189f0eb4f61acecada137e1

  • SHA1

    cd2e9f98ed92c6d6c7a2932689e7713ec92f0ea3

  • SHA256

    c8a414d439f5c449d194cc64370e1b07a2358f83059b0f33b8baf9189a45a9a2

  • SHA512

    dab6ca230afe4df91b55d13470c2e594f6c488d4a50384e54e81047bedcc5844697c91269db6b231c4417ff4db3d7cd3d19a588d9580ce9d0cdc75b6453c9aa1

  • SSDEEP

    24576:GymFJcqmAGmO6mCttYgNc6TAWl2LbTCCHO:VmFJcDiO6bttFPTAKCbTCK

Malware Config

Extracted

Family

redline

Botnet

meren

C2

77.91.68.253:19065

Attributes
  • auth_value

    a26557b435e44b55fdd4708fbba97d21

Targets

    • Target

      c8a414d439f5c449d194cc64370e1b07a2358f83059b0f33b8baf9189a45a9a2

    • Size

      1.0MB

    • MD5

      00f34f518189f0eb4f61acecada137e1

    • SHA1

      cd2e9f98ed92c6d6c7a2932689e7713ec92f0ea3

    • SHA256

      c8a414d439f5c449d194cc64370e1b07a2358f83059b0f33b8baf9189a45a9a2

    • SHA512

      dab6ca230afe4df91b55d13470c2e594f6c488d4a50384e54e81047bedcc5844697c91269db6b231c4417ff4db3d7cd3d19a588d9580ce9d0cdc75b6453c9aa1

    • SSDEEP

      24576:GymFJcqmAGmO6mCttYgNc6TAWl2LbTCCHO:VmFJcDiO6bttFPTAKCbTCK

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks