Overview

overview

10

Static

static

10

0x00080000...09.exe

windows7-x64

10

0x00080000...09.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    0x00080000000122e6-109.dat

  • Size

    172KB

  • Sample

    230607-nthmnahg92

  • MD5

    831526f80b3c6470de380197e6769102

  • SHA1

    d4026f4e9a991f20b3a67b5af38cf30c1ec13341

  • SHA256

    870b9d125d13f0f0a50a268194bf16612da6c8456caba3b9c354ed9f94461189

  • SHA512

    101c932ab0b793956431ace0d89803d363906a421a192887a18b9e51e3da269a383f9aa87b426a7c1f64bfcd5ef1881cab86cfbbda78c72daa8f121f92aa6753

  • SSDEEP

    3072:8kFJbrY5Ol3IGrSGnUxNE+y9gtBSyXiyyec8e8hQ:8kTYE3JnjCtBSyXiyyec

Score
10/10
redlinedizadoxasherondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

doxa

C2

83.97.73.129:19068

Attributes
  • auth_value

    8cf5ba009458c73b014353d79d8422c6

Extracted

Family

redline

Botnet

sheron

C2

83.97.73.129:19068

Attributes
  • auth_value

    2d067e7e2372227d3a03b335260112e9

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Targets

    • Target

      0x00080000000122e6-109.dat

    • Size

      172KB

    • MD5

      831526f80b3c6470de380197e6769102

    • SHA1

      d4026f4e9a991f20b3a67b5af38cf30c1ec13341

    • SHA256

      870b9d125d13f0f0a50a268194bf16612da6c8456caba3b9c354ed9f94461189

    • SHA512

      101c932ab0b793956431ace0d89803d363906a421a192887a18b9e51e3da269a383f9aa87b426a7c1f64bfcd5ef1881cab86cfbbda78c72daa8f121f92aa6753

    • SSDEEP

      3072:8kFJbrY5Ol3IGrSGnUxNE+y9gtBSyXiyyec8e8hQ:8kTYE3JnjCtBSyXiyyec

    Score
    10/10
    redlinedizadoxasherondiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks