General

  • Target

    d281a14d351829923f7df47f9d31a88a758d778723fe98736ef85bb860188704

  • Size

    767KB

  • Sample

    230526-gsefaaef7v

  • MD5

    916b160eabe9d34d294af9e0b8c86f5e

  • SHA1

    c4e5dc9062f8c985cdf2a2fed77422f54e1a9490

  • SHA256

    d281a14d351829923f7df47f9d31a88a758d778723fe98736ef85bb860188704

  • SHA512

    dc88f36c7ccef097fde537dcb15ca6381adfdb7add1616cfb276de98f39dbf612b530d7c9139289cdc5c838accf4170f9e1cfc1318cde3408d8f16633d5232fe

  • SSDEEP

    12288:bMrty90gQ02yWvZDAXLB6u/MSkPAWia+3wV1mrbp+Yyf4hGJXS6pAi8Ttn0kBiwX:6yVQOYZDGLN/2c3O1epvyfmGtnJ850kD

Malware Config

Extracted

Family

redline

Botnet

mina

C2

83.97.73.122:19062

Attributes
  • auth_value

    3d04bf4b8ba2a11c4dcf9df0e388fa05

Extracted

Family

redline

Botnet

greg

C2

83.97.73.122:19062

Attributes
  • auth_value

    4c966a90781c6b4ab7f512d018696362

Targets

    • Target

      d281a14d351829923f7df47f9d31a88a758d778723fe98736ef85bb860188704

    • Size

      767KB

    • MD5

      916b160eabe9d34d294af9e0b8c86f5e

    • SHA1

      c4e5dc9062f8c985cdf2a2fed77422f54e1a9490

    • SHA256

      d281a14d351829923f7df47f9d31a88a758d778723fe98736ef85bb860188704

    • SHA512

      dc88f36c7ccef097fde537dcb15ca6381adfdb7add1616cfb276de98f39dbf612b530d7c9139289cdc5c838accf4170f9e1cfc1318cde3408d8f16633d5232fe

    • SSDEEP

      12288:bMrty90gQ02yWvZDAXLB6u/MSkPAWia+3wV1mrbp+Yyf4hGJXS6pAi8Ttn0kBiwX:6yVQOYZDGLN/2c3O1epvyfmGtnJ850kD

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks