General

  • Target

    game329.exe

  • Size

    1.0MB

  • Sample

    230521-m2afkshf22

  • MD5

    93a840f72b285d9d277c8d9f83f453a6

  • SHA1

    8db24b9550db96ccae599f9a7d2d3db7ee5e8934

  • SHA256

    f4b937ca01d2977a86ca85f41b70e6d56eb21e7379dc41403a21a50dfd59c858

  • SHA512

    880848926e406ffd34c89e6dec5fc37a189c6049eceb67c3126232c780477482e327159748376f8f501ae89fc2aef71c71248a8161745753a0c65a2573e6a6dd

  • SSDEEP

    24576:gySGer1lLFwtaDOxbWzq7RqFaU3ICLMM0jVbkP6Z2ls/+NX:nSGer1lJkaDOIzq7RqgU3l+M6Z2lsk

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Targets

    • Target

      game329.exe

    • Size

      1.0MB

    • MD5

      93a840f72b285d9d277c8d9f83f453a6

    • SHA1

      8db24b9550db96ccae599f9a7d2d3db7ee5e8934

    • SHA256

      f4b937ca01d2977a86ca85f41b70e6d56eb21e7379dc41403a21a50dfd59c858

    • SHA512

      880848926e406ffd34c89e6dec5fc37a189c6049eceb67c3126232c780477482e327159748376f8f501ae89fc2aef71c71248a8161745753a0c65a2573e6a6dd

    • SSDEEP

      24576:gySGer1lLFwtaDOxbWzq7RqFaU3ICLMM0jVbkP6Z2ls/+NX:nSGer1lJkaDOIzq7RqgU3l+M6Z2lsk

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks