General

  • Target

    fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995

  • Size

    352KB

  • Sample

    230810-wer7jsga43

  • MD5

    113c295681410c02517b52bd6aba932e

  • SHA1

    fce1b1b3e8453d533f1e1a3e09c9be07e4aecea9

  • SHA256

    fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995

  • SHA512

    0ab52de3cd5ac3f3f0d559cd5fbe01be6168317b127c7807cafb58f4efdc57726ff72b6fc262d50f349fd82fe70d61f6171cc1fb72dbe3f3302dda8bbdc49f9a

  • SSDEEP

    6144:fKXk0q1dKqu9A3Sw5udy+H37xW82V598wzS78wXO:SUz1dKqu9A3J5udVH3FWz9sA

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

136.244.98.226:33587

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Targets

    • Target

      fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995

    • Size

      352KB

    • MD5

      113c295681410c02517b52bd6aba932e

    • SHA1

      fce1b1b3e8453d533f1e1a3e09c9be07e4aecea9

    • SHA256

      fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995

    • SHA512

      0ab52de3cd5ac3f3f0d559cd5fbe01be6168317b127c7807cafb58f4efdc57726ff72b6fc262d50f349fd82fe70d61f6171cc1fb72dbe3f3302dda8bbdc49f9a

    • SSDEEP

      6144:fKXk0q1dKqu9A3Sw5udy+H37xW82V598wzS78wXO:SUz1dKqu9A3J5udVH3FWz9sA

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks