General

  • Target

    907c6cf2b961e2f52e6af8bcd8d8120d28442111cd49dd77d2ebf7670cca3473

  • Size

    770KB

  • Sample

    230528-dsakjsee3t

  • MD5

    58656582cc3221d3ad1f5063ada568d9

  • SHA1

    65a509640cfebf215a8faabbf03c5644fecbba73

  • SHA256

    907c6cf2b961e2f52e6af8bcd8d8120d28442111cd49dd77d2ebf7670cca3473

  • SHA512

    23cb5666d2a55af6cb7cbbbb401cea1f9666be870b33b768b39708a413571c4435e28d4b0a42ec84ab53ef9a4e39419699f978d4e7a19ac367533963d5057fd0

  • SSDEEP

    12288:wMrYy90NozicmWTr85Q9Z3NMf/bKAvivLHd/BQpcK5E+NxI7C6cbiTbqzcp8YU9p:4y1X8W9g2HK5B7I7SbIbqzc9lG

Malware Config

Extracted

Family

redline

Botnet

dura

C2

83.97.73.127:19062

Attributes
  • auth_value

    44b7d6fb9572dea0d64d018139c3d208

Extracted

Family

redline

Botnet

heroy

C2

83.97.73.127:19062

Attributes
  • auth_value

    b2879468e50d2d36e66f1a067d4a8bb3

Targets

    • Target

      907c6cf2b961e2f52e6af8bcd8d8120d28442111cd49dd77d2ebf7670cca3473

    • Size

      770KB

    • MD5

      58656582cc3221d3ad1f5063ada568d9

    • SHA1

      65a509640cfebf215a8faabbf03c5644fecbba73

    • SHA256

      907c6cf2b961e2f52e6af8bcd8d8120d28442111cd49dd77d2ebf7670cca3473

    • SHA512

      23cb5666d2a55af6cb7cbbbb401cea1f9666be870b33b768b39708a413571c4435e28d4b0a42ec84ab53ef9a4e39419699f978d4e7a19ac367533963d5057fd0

    • SSDEEP

      12288:wMrYy90NozicmWTr85Q9Z3NMf/bKAvivLHd/BQpcK5E+NxI7C6cbiTbqzcp8YU9p:4y1X8W9g2HK5B7I7SbIbqzc9lG

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks