Overview

overview

10

Static

static

8

das.dotm

windows7-x64

10

das.dotm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    das.dotm

  • Size

    17KB

  • Sample

    230706-cafheaaa3v

  • MD5

    73e957de5a5482ecb3d09b16bee4c437

  • SHA1

    49ec08b4e68f075361ede886ab1f23e099fceac1

  • SHA256

    b3200b327c47f93a8d1049868c459576da23aee389cf9aa84f489e9ee07a3b68

  • SHA512

    b5f0c6c70bfa5ff00ff8a25b65f87cd60ec5d6d2c10d989f9a6e3eb2653b76c26d427dac50ebf0b18f970f072046b6ede3a4520f7f01ebd2a9718225ecff036d

  • SSDEEP

    384:tmtUg6VnjXbwcQz0MC78QN1Wz0JIE0B3s:qe1HbQzI8QN1Wzqz0a

Score
10/10
redlinewordinfostealermacrospyware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/kayodi3643d/kayodi3643-dotvilla.com/downloads/123.zip

Extracted

Family

redline

Botnet

WORD

C2

5.42.92.116:36870

Attributes
  • auth_value

    03ac9d19ec75717750b3f79404be2f9e

Targets

    • Target

      das.dotm

    • Size

      17KB

    • MD5

      73e957de5a5482ecb3d09b16bee4c437

    • SHA1

      49ec08b4e68f075361ede886ab1f23e099fceac1

    • SHA256

      b3200b327c47f93a8d1049868c459576da23aee389cf9aa84f489e9ee07a3b68

    • SHA512

      b5f0c6c70bfa5ff00ff8a25b65f87cd60ec5d6d2c10d989f9a6e3eb2653b76c26d427dac50ebf0b18f970f072046b6ede3a4520f7f01ebd2a9718225ecff036d

    • SSDEEP

      384:tmtUg6VnjXbwcQz0MC78QN1Wz0JIE0B3s:qe1HbQzI8QN1Wzqz0a

    Score
    10/10
    redlinewordinfostealerspyware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks