General

  • Target

    17c9df17ba5488cf86abd5ac65bfc3da95db6daaa3eb62c88b22b52416ba8e52

  • Size

    751KB

  • Sample

    230608-gqn7pscg89

  • MD5

    bc9823fb6d6d8e0773f5b1aa50fd4cfa

  • SHA1

    d3b2247e62e3d75bde2695f8120fbdfafa448d20

  • SHA256

    17c9df17ba5488cf86abd5ac65bfc3da95db6daaa3eb62c88b22b52416ba8e52

  • SHA512

    37164991ade87dd117b1d97a70a47d5723d2a68e333b83128aa51c02e6d487933c2867c988ce4d0a7aa60ea858533dc89786ba13ea0db4621012c83d9975a267

  • SSDEEP

    12288:pMrBy909I3/RM2jH/z2aAEbhVBfeUhiPxR2Hy4NN6KnzCeGaFIS8:cy6CvqarhVxeeWxR+pnzRNFIS8

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Targets

    • Target

      17c9df17ba5488cf86abd5ac65bfc3da95db6daaa3eb62c88b22b52416ba8e52

    • Size

      751KB

    • MD5

      bc9823fb6d6d8e0773f5b1aa50fd4cfa

    • SHA1

      d3b2247e62e3d75bde2695f8120fbdfafa448d20

    • SHA256

      17c9df17ba5488cf86abd5ac65bfc3da95db6daaa3eb62c88b22b52416ba8e52

    • SHA512

      37164991ade87dd117b1d97a70a47d5723d2a68e333b83128aa51c02e6d487933c2867c988ce4d0a7aa60ea858533dc89786ba13ea0db4621012c83d9975a267

    • SSDEEP

      12288:pMrBy909I3/RM2jH/z2aAEbhVBfeUhiPxR2Hy4NN6KnzCeGaFIS8:cy6CvqarhVxeeWxR+pnzRNFIS8

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Tasks