Resubmissions

28-05-2023 16:42

230528-t74d6sff53 10

28-05-2023 16:13

230528-tpaddaga2s 10

General

  • Target

    f630965e26d4944e1cb9998e3a872f96d79bec27a5966a002daa044e30cbf96e

  • Size

    803KB

  • Sample

    230528-tpaddaga2s

  • MD5

    3aba27546cfb995b1bd540e347eccac8

  • SHA1

    573dd267085451c4feb8bc400ba1ad0bf7b877bf

  • SHA256

    f630965e26d4944e1cb9998e3a872f96d79bec27a5966a002daa044e30cbf96e

  • SHA512

    89112ba366a0d2bb7d0c812ba2e92b779fe40b7c22a9627e928ff06cb3f7be74814e52253cdcdf54dfb5a85f4c3d2a6614f40fecd3092e00f1644831af4dc892

  • SSDEEP

    12288:MMr/y90NfdBoDcQfru2Cr0O8gUHTYegNmDm/axel+u2l0Rm1jjiAU3t:LygfZQfru2CrkHPHDKoNF54

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.127:19045

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

metro

C2

83.97.73.127:19045

Attributes
  • auth_value

    f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

    • Target

      f630965e26d4944e1cb9998e3a872f96d79bec27a5966a002daa044e30cbf96e

    • Size

      803KB

    • MD5

      3aba27546cfb995b1bd540e347eccac8

    • SHA1

      573dd267085451c4feb8bc400ba1ad0bf7b877bf

    • SHA256

      f630965e26d4944e1cb9998e3a872f96d79bec27a5966a002daa044e30cbf96e

    • SHA512

      89112ba366a0d2bb7d0c812ba2e92b779fe40b7c22a9627e928ff06cb3f7be74814e52253cdcdf54dfb5a85f4c3d2a6614f40fecd3092e00f1644831af4dc892

    • SSDEEP

      12288:MMr/y90NfdBoDcQfru2Cr0O8gUHTYegNmDm/axel+u2l0Rm1jjiAU3t:LygfZQfru2CrkHPHDKoNF54

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks