General
-
Target
746b8ab3a0abc20cc32632106af924b1.bin
-
Size
724KB
-
Sample
230527-bvt1vsad3w
-
MD5
23af45deba2c78f4f359732990be0cb5
-
SHA1
d13f414fdbe94f159ca28da65d6a125aefc32635
-
SHA256
3725e076c745d0dbf1d64a94b7d4c1071cf6fa3946a6f6b9b35a0eb8b6e7c782
-
SHA512
fa18eeee2ad2ec7fac21694a874dd33050fb11c33c9bb43ab3af58aac9ad7a5a3beb97e175599eb7a972f4a8b1a2365b4c599ee8b8753066f144a092e4bf839e
-
SSDEEP
12288:FAx1ZHoK03i7plEh6hqjsBjKuKtdmxrUDrU8mcrNw8LNmHXjlMvINb8EjE:Oxgx3iHpm4juorUUk6GkFV/g
Static task
static1
Malware Config
Extracted
redline
dina
83.97.73.122:19062
-
auth_value
4f77073adc624269de1bff760b9bc471
Extracted
redline
greg
83.97.73.122:19062
-
auth_value
4c966a90781c6b4ab7f512d018696362
Targets
-
-
Target
bc9ad6db3925e9363b7e661fb9621a22c255b62dbe725d0607b5d37d342ada68.exe
-
Size
768KB
-
MD5
746b8ab3a0abc20cc32632106af924b1
-
SHA1
4caf145bc75bf5746690865e0d2b6cdaa766eae5
-
SHA256
bc9ad6db3925e9363b7e661fb9621a22c255b62dbe725d0607b5d37d342ada68
-
SHA512
8e6f1bbd1006111cd4fb7c8a25fe2e53b46539ee5009004f272533b7a89fb2361d877f8630f371c41034286b419f4457317d351b1259a7329d0beb29a0ff85dd
-
SSDEEP
24576:oyTaxWLD76WgBhSnXPF1TB6q3dk7QMM1+2CB1:vuxWf7NGhtq3aQMM1+7B
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
4Change Default File Association
1Browser Extensions
1Scheduled Task
1Defense Evasion
Modify Registry
8Disabling Security Tools
1Impair Defenses
1Install Root Certificate
1