General

  • Target

    1f82d8215ce77f3f82b98bff653f05bb063437c6c8aab08285044c916ef32e92

  • Size

    1021KB

  • Sample

    230521-fbqljsah21

  • MD5

    85c738b7cd0240ae958d83c89af77822

  • SHA1

    84e4acb965f74022c52ec61590b83e9115302014

  • SHA256

    1f82d8215ce77f3f82b98bff653f05bb063437c6c8aab08285044c916ef32e92

  • SHA512

    fc0a2533676d8a46a6009f88f55133df5aee74294b99eb55e3b6501faa4fe718332e5b14032ab0f543604723a62318aff26c65ce2a59c45aa0c413fe79b8b748

  • SSDEEP

    24576:rywXWKpqsd8qTRFa0njZgIguAZmU90rsu:eTKksd8qlUGmzhh04

Malware Config

Extracted

Family

redline

Botnet

luza

C2

185.161.248.37:4138

Attributes
  • auth_value

    1261701914d508e02e8b4f25d38bc7f9

Targets

    • Target

      1f82d8215ce77f3f82b98bff653f05bb063437c6c8aab08285044c916ef32e92

    • Size

      1021KB

    • MD5

      85c738b7cd0240ae958d83c89af77822

    • SHA1

      84e4acb965f74022c52ec61590b83e9115302014

    • SHA256

      1f82d8215ce77f3f82b98bff653f05bb063437c6c8aab08285044c916ef32e92

    • SHA512

      fc0a2533676d8a46a6009f88f55133df5aee74294b99eb55e3b6501faa4fe718332e5b14032ab0f543604723a62318aff26c65ce2a59c45aa0c413fe79b8b748

    • SSDEEP

      24576:rywXWKpqsd8qTRFa0njZgIguAZmU90rsu:eTKksd8qlUGmzhh04

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks