General

  • Target

    bb7136898cb45455cd1a3c1ab8b5e24902b74003d7c08fd0caebd4da495ebca9

  • Size

    763KB

  • Sample

    230526-m2rd4afb38

  • MD5

    cff448c28fb36c840d2850c55efeece3

  • SHA1

    8ea6189c12fde79af32a90f912bd0e9c6ec29e6d

  • SHA256

    bb7136898cb45455cd1a3c1ab8b5e24902b74003d7c08fd0caebd4da495ebca9

  • SHA512

    00555f3ab2f0d28249631f1adffe7538b252e749e56265ff6e3f78b31ea1ea0d05d50835782e1e1896b950adb440c7c7e5d25dba6d70f572faea73ea0d26b688

  • SSDEEP

    12288:zMrAy90TGuJH2BHFiFm6tl0Ca/GtgGRPlqGBEISb650II4dvDmdQLBTE1M:DyGGG2b60lGKG+gSb6O94xDmdUEM

Malware Config

Extracted

Family

redline

Botnet

disa

C2

83.97.73.122:19062

Attributes
  • auth_value

    93f8c4ca7000e3381dd4b6b86434de05

Extracted

Family

redline

Botnet

goga

C2

83.97.73.122:19062

Attributes
  • auth_value

    6d57dff6d3c42dddb8a76dc276b8467f

Targets

    • Target

      bb7136898cb45455cd1a3c1ab8b5e24902b74003d7c08fd0caebd4da495ebca9

    • Size

      763KB

    • MD5

      cff448c28fb36c840d2850c55efeece3

    • SHA1

      8ea6189c12fde79af32a90f912bd0e9c6ec29e6d

    • SHA256

      bb7136898cb45455cd1a3c1ab8b5e24902b74003d7c08fd0caebd4da495ebca9

    • SHA512

      00555f3ab2f0d28249631f1adffe7538b252e749e56265ff6e3f78b31ea1ea0d05d50835782e1e1896b950adb440c7c7e5d25dba6d70f572faea73ea0d26b688

    • SSDEEP

      12288:zMrAy90TGuJH2BHFiFm6tl0Ca/GtgGRPlqGBEISb650II4dvDmdQLBTE1M:DyGGG2b60lGKG+gSb6O94xDmdUEM

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks