General

  • Target

    3020-61-0x0000000002340000-0x0000000002374000-memory.dmp

  • Size

    208KB

  • Sample

    230810-r7xkhsdf58

  • MD5

    f97604ff929688d989cf841daa18285b

  • SHA1

    d06e95f52be5f9d94b1316fc7b2cb1339ef4dc75

  • SHA256

    d447acfea3cd5d34b857f21ffedcb4ebb6ffb1ee5572346af2deb3a467148689

  • SHA512

    57a4f26d0798f81593155b4e63dd4a818350c56d63a2b89f41113fb2990833b2002d054475d431db7f66853863420a8534c6f0c66b45537267f375d7123a7584

  • SSDEEP

    3072:c2d6mtyOf3YItpGVH1/W92Ve/eV+9wdLxwafS8e8hq:x6mtyOgItpGgD/eUmZS

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

136.244.98.226:33587

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Targets

    • Target

      3020-61-0x0000000002340000-0x0000000002374000-memory.dmp

    • Size

      208KB

    • MD5

      f97604ff929688d989cf841daa18285b

    • SHA1

      d06e95f52be5f9d94b1316fc7b2cb1339ef4dc75

    • SHA256

      d447acfea3cd5d34b857f21ffedcb4ebb6ffb1ee5572346af2deb3a467148689

    • SHA512

      57a4f26d0798f81593155b4e63dd4a818350c56d63a2b89f41113fb2990833b2002d054475d431db7f66853863420a8534c6f0c66b45537267f375d7123a7584

    • SSDEEP

      3072:c2d6mtyOf3YItpGVH1/W92Ve/eV+9wdLxwafS8e8hq:x6mtyOgItpGgD/eUmZS

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks