General

  • Target

    43866279c665ce788216110e56726c1b82817ab79bbc9.exe

  • Size

    343KB

  • Sample

    230811-adrczahf95

  • MD5

    05110422872ebc723d10a402fdc27a47

  • SHA1

    c06ffb335c9e4fc26d5a15e3347599e061ace2d7

  • SHA256

    43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4

  • SHA512

    dea9eadcd97d4851b7c428c73ded0e32c68eda4a3b986952b6305a4ea3a5ac90073ed4bb9811813c8e73770e5c2a0985e170fb5cdb421fa4b53763779c31c334

  • SSDEEP

    6144:Cgk+3Y7WfT12E7n1XHs7j/X07eRFCvBVtcIIVMI:3kydfTrBHWk7eohrI

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

136.244.98.226:33587

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Targets

    • Target

      43866279c665ce788216110e56726c1b82817ab79bbc9.exe

    • Size

      343KB

    • MD5

      05110422872ebc723d10a402fdc27a47

    • SHA1

      c06ffb335c9e4fc26d5a15e3347599e061ace2d7

    • SHA256

      43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4

    • SHA512

      dea9eadcd97d4851b7c428c73ded0e32c68eda4a3b986952b6305a4ea3a5ac90073ed4bb9811813c8e73770e5c2a0985e170fb5cdb421fa4b53763779c31c334

    • SSDEEP

      6144:Cgk+3Y7WfT12E7n1XHs7j/X07eRFCvBVtcIIVMI:3kydfTrBHWk7eohrI

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks