Overview

overview

10

Static

static

3

6a573853b0...a3.exe

windows7-x64

10

6a573853b0...a3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    28f91b4ca630b33aaea69848a2bfe143.bin

  • Size

    720KB

  • Sample

    230528-bk4sbadg24

  • MD5

    cd269445ba7a7a3607bbce1f8e5848c9

  • SHA1

    58c7feacf01bbff334f0bf58d988c4605e3e25cd

  • SHA256

    ab643604bc3244c83f2d457e54c5eb2ef0b7903cfe72e2f3360981db1be32ec9

  • SHA512

    011d458883d6c1e35e4ff3e990de689cc43e319b712cf72bc77c05d4691473c50b285beff48893e528936774b8123538c4186904dae89a88bce7ed6a62d8f472

  • SSDEEP

    12288:00bNfpcAGhj+IGVMui3cAG3gAMIhd//hQNF6bbzUYXChR2u/ZJ:00pfpMh7GVriU36id//yNF6HIYXC7/r

Score
10/10
redlinedisagogadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

disa

C2

83.97.73.122:19062

Attributes
  • auth_value

    93f8c4ca7000e3381dd4b6b86434de05

Extracted

Family

redline

Botnet

goga

C2

83.97.73.122:19062

Attributes
  • auth_value

    6d57dff6d3c42dddb8a76dc276b8467f

Targets

    • Target

      6a573853b0e3b3326ad7d61767d545a5834b55eda1699bf6b504f3d23ddb7aa3.exe

    • Size

      764KB

    • MD5

      28f91b4ca630b33aaea69848a2bfe143

    • SHA1

      0163bf012795a58427d00e636f235c1d561e44c7

    • SHA256

      6a573853b0e3b3326ad7d61767d545a5834b55eda1699bf6b504f3d23ddb7aa3

    • SHA512

      018ca0e6347c0a1317d83cb9fee20501a210ece0ff15a0d1ae030c754be256f8900c59bfe45b892f8f3d80e89965519b5940e310fa94ecae407ad2fa2e70e265

    • SSDEEP

      12288:/Mrqy90IBG4rNM3zIW4nVtRsl7GjXREgMyUMO+sG7TJDshII4dWGmdQLBZEq8:ly8OerdlyjXeyk+ZTu94QGmdUp8

    Score
    10/10
    redlinedisagogadiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks