General

  • Target

    b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7

  • Size

    1.0MB

  • Sample

    230529-sxh5tacd85

  • MD5

    13cc9a77aea1d4e2b3c1c47f4d7811f7

  • SHA1

    523cffeafe96e0a93511571c22a3b5bf6f80aa35

  • SHA256

    b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7

  • SHA512

    3996cfe348169afd0c489025f729dc2b8b703b8d86dec5ee281074b7e8f73b379c2f8b0eeafcb6495f3825fbef0b10efdfcc7ed092f23a95f782b2ba745c71d3

  • SSDEEP

    12288:gMrCy908OLqjW56NcoAlJhOJFP76h04TmFOlLr3FWHVQFpU2Nb8vJM5SMaFaaDya:SyEyco37G+4JEHVQnU2Nbaj5Fauyvi

Malware Config

Extracted

Family

redline

Botnet

lizsa

C2

83.97.73.127:19045

Attributes
  • auth_value

    44b0b71b36e78465dbdebb4ecfb78b77

Extracted

Family

redline

Botnet

metro

C2

83.97.73.127:19045

Attributes
  • auth_value

    f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

    • Target

      b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7

    • Size

      1.0MB

    • MD5

      13cc9a77aea1d4e2b3c1c47f4d7811f7

    • SHA1

      523cffeafe96e0a93511571c22a3b5bf6f80aa35

    • SHA256

      b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7

    • SHA512

      3996cfe348169afd0c489025f729dc2b8b703b8d86dec5ee281074b7e8f73b379c2f8b0eeafcb6495f3825fbef0b10efdfcc7ed092f23a95f782b2ba745c71d3

    • SSDEEP

      12288:gMrCy908OLqjW56NcoAlJhOJFP76h04TmFOlLr3FWHVQFpU2Nb8vJM5SMaFaaDya:SyEyco37G+4JEHVQnU2Nbaj5Fauyvi

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks