Overview

overview

10

Static

static

3

ceb4050907...56.exe

windows7-x64

10

ceb4050907...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4f0e72634dfd99a740b58abd32c14e3a.bin

  • Size

    720KB

  • Sample

    230528-bttzgadg59

  • MD5

    a869797bf5f654628923e9753618eea7

  • SHA1

    7172911bfc2308426874e0ec13a86663e6672eb6

  • SHA256

    02e4bcfa17e67af1cc0b5593b5b13a38cc77e5244c7d71342a0fe9a85790b812

  • SHA512

    c91e77f9c5339cdc2d87dee1fd36daa6a1b8ab61cb7bb3833c0c34453c3d2178b7a12146011328c9e8748b955ed67145170fff12f4a1d69ed8d4c526a89cca2a

  • SSDEEP

    12288:ILMAg4lx4+oGy8k2xiz3iTq30wMCs6XUl19jV5wM6tWpW5sNH+HZ:UE4y85iz98UUl19jdpW+AHZ

Score
10/10
redlinegogamisadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

misa

C2

83.97.73.122:19062

Attributes
  • auth_value

    9e79529a6bdb4962f44d12b0d6d62d32

Extracted

Family

redline

Botnet

goga

C2

83.97.73.122:19062

Attributes
  • auth_value

    6d57dff6d3c42dddb8a76dc276b8467f

Targets

    • Target

      ceb40509077eb9c6bdf487bf8d7fbe703e6410361a30fffc100d7311f6d50d56.exe

    • Size

      764KB

    • MD5

      4f0e72634dfd99a740b58abd32c14e3a

    • SHA1

      9f668bd7549ba16c89e864108c001b68094464f1

    • SHA256

      ceb40509077eb9c6bdf487bf8d7fbe703e6410361a30fffc100d7311f6d50d56

    • SHA512

      7f89816a53d020de0c589e457c5a027a895998068b28b677f0cc63a30f68bd65222e70d48cd04afa622e0010fd4279889f7730c7059d85e98a371f1709c999ef

    • SSDEEP

      12288:jMrpy90twAkE/LdS/7xKeTmHxL6XAUmfnrdhf4xPC4II4dqOmdQLBBEQ/+:CyekETdS/FZyWAlP3f4d94kOmdU9+

    Score
    10/10
    redlinegogamisadiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks