General

  • Target

    c4bd4cbb390feb318a567b13e3b6754595bb87cea224b843ca70c66bcd272b42

  • Size

    760KB

  • Sample

    230527-xmag5scg99

  • MD5

    a216833b090116354c341f27e79d292d

  • SHA1

    3492fc1ce729b6a7e8a99ce85e1368b85b2cc05f

  • SHA256

    c4bd4cbb390feb318a567b13e3b6754595bb87cea224b843ca70c66bcd272b42

  • SHA512

    75f5d2ff277228e0d94f43df5a2a9ad0e532d09fbb55e750f0116d6956789af61dd6a75c95b3bafb00f2075c0bdb64bcb875c7d814203f4476b4817021742374

  • SSDEEP

    12288:UMrpy907l9kxcE8fMVAQrTutTEjxIRVlblQaMsip7YC+3ToYZWECegE5xvMh:lywl9kxDnVAQOtIjSZbs77YC+3TZZdf4

Malware Config

Extracted

Family

redline

Botnet

mura

C2

83.97.73.127:19062

Attributes
  • auth_value

    b2ee4a66a20fb9e998d6a68277565331

Extracted

Family

redline

Botnet

heroy

C2

83.97.73.127:19062

Attributes
  • auth_value

    b2879468e50d2d36e66f1a067d4a8bb3

Targets

    • Target

      c4bd4cbb390feb318a567b13e3b6754595bb87cea224b843ca70c66bcd272b42

    • Size

      760KB

    • MD5

      a216833b090116354c341f27e79d292d

    • SHA1

      3492fc1ce729b6a7e8a99ce85e1368b85b2cc05f

    • SHA256

      c4bd4cbb390feb318a567b13e3b6754595bb87cea224b843ca70c66bcd272b42

    • SHA512

      75f5d2ff277228e0d94f43df5a2a9ad0e532d09fbb55e750f0116d6956789af61dd6a75c95b3bafb00f2075c0bdb64bcb875c7d814203f4476b4817021742374

    • SSDEEP

      12288:UMrpy907l9kxcE8fMVAQrTutTEjxIRVlblQaMsip7YC+3ToYZWECegE5xvMh:lywl9kxDnVAQOtIjSZbs77YC+3TZZdf4

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks