Overview

overview

10

Static

static

3

05ada3c7bb...76.exe

windows7-x64

10

05ada3c7bb...76.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c9179fad34aa4dd246b5ebd3539b7b1.bin

  • Size

    691KB

  • Sample

    230607-bpd3fsgc65

  • MD5

    d2f2fb1886ce017030ab225617a4922f

  • SHA1

    a45a482323f891f83f807adc932647f881707e46

  • SHA256

    baff53861dd80458c98ebe09f01ac9cc5885678651fc6d5c3e62dab932973b62

  • SHA512

    6808ceec8c56ac0b66ba3f95897ef5f6a6baba6ad11c236f025b3d25a608f89507a358116e056fb166c98ef18a0780ff70bd48bfad12fab6dfcb1867cd428607

  • SSDEEP

    12288:Na288LUAdfQTwY3UGF0C2IYZkBGL9kD9VjvzCr7v7agqOmsVUiJN9CUfs9a5Co:Nr8QUPcRIpRVjvzUv7T5v9CUfYaCo

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Targets

    • Target

      05ada3c7bb54efda0f84ce338d7558a6000e4bffc6e640d5ac2c25f6b1504976.exe

    • Size

      735KB

    • MD5

      1c9179fad34aa4dd246b5ebd3539b7b1

    • SHA1

      04d1a165e2e7dc2f1736223a9cfe1ad7aebacb6a

    • SHA256

      05ada3c7bb54efda0f84ce338d7558a6000e4bffc6e640d5ac2c25f6b1504976

    • SHA512

      ead9b21f1df264c0fff816a6e11eba1c747cf16bb7dcc65c766f203a848e31b7e882edfc36bee62f6e22eb0639470bed72022759012204c92fb5919251e60edd

    • SSDEEP

      12288:hMrqy90LcnW2YHevd7sSQ3lcPnQgP7ya7NkVBV20IxE:DyA2YHevd7sSI2f5Pua+I0qE

    Score
    10/10
    redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks