General

  • Target

    551703d259ca6bb177870d2021f502fc3e48cab1575efa0867f8ae1f0fa0e615

  • Size

    770KB

  • Sample

    230527-y3hdcsde3z

  • MD5

    37ea8367fdd1c9e3b72ccdf5101c51d8

  • SHA1

    e5d1299246827055b157e8f63ae2822b68fc4c4a

  • SHA256

    551703d259ca6bb177870d2021f502fc3e48cab1575efa0867f8ae1f0fa0e615

  • SHA512

    533c76b900e940f0abf42d7ef4dedbe235cbda8fa8d22ed79ed641d4663b0a0484bd990074aabc0bd96096e88217dfe913847c6a3f3cd7d6e00658487389a2db

  • SSDEEP

    12288:7MrZy90xX5aOcwH1UJFHtA0rdCzeJPEYIXRwBji6/vtQz+wA5I1YFMG6Q9:Oy8p5NVa40r8z6IhwBjzvt4zAOYLv

Malware Config

Extracted

Family

redline

Botnet

dura

C2

83.97.73.127:19062

Attributes
  • auth_value

    44b7d6fb9572dea0d64d018139c3d208

Extracted

Family

redline

Botnet

heroy

C2

83.97.73.127:19062

Attributes
  • auth_value

    b2879468e50d2d36e66f1a067d4a8bb3

Targets

    • Target

      551703d259ca6bb177870d2021f502fc3e48cab1575efa0867f8ae1f0fa0e615

    • Size

      770KB

    • MD5

      37ea8367fdd1c9e3b72ccdf5101c51d8

    • SHA1

      e5d1299246827055b157e8f63ae2822b68fc4c4a

    • SHA256

      551703d259ca6bb177870d2021f502fc3e48cab1575efa0867f8ae1f0fa0e615

    • SHA512

      533c76b900e940f0abf42d7ef4dedbe235cbda8fa8d22ed79ed641d4663b0a0484bd990074aabc0bd96096e88217dfe913847c6a3f3cd7d6e00658487389a2db

    • SSDEEP

      12288:7MrZy90xX5aOcwH1UJFHtA0rdCzeJPEYIXRwBji6/vtQz+wA5I1YFMG6Q9:Oy8p5NVa40r8z6IhwBjzvt4zAOYLv

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks