General

  • Target

    2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf

  • Size

    769KB

  • Sample

    230912-l2ejvseb69

  • MD5

    f67cbc2d576f1070b671c306fc10972f

  • SHA1

    64d4fb9da61f659e1b807d443f73a84c6d2c866f

  • SHA256

    2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf

  • SHA512

    1ccc3d146015fd43701b24b251f578cdc0bc80f8def49c8e11ae62507d27e72f828de59e5febe9d536529b6909b468017bf84290024c473fbdf1009033eee613

  • SSDEEP

    12288:MMrTy90dPfu4WPWrxaR0NjbOA1CjmW60UIp/MReXe50x3q5VJmT3di63ioxNq1j3:vymhrMQbDgV60UDeXo0TTI63wFGFM

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Targets

    • Target

      2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf

    • Size

      769KB

    • MD5

      f67cbc2d576f1070b671c306fc10972f

    • SHA1

      64d4fb9da61f659e1b807d443f73a84c6d2c866f

    • SHA256

      2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf

    • SHA512

      1ccc3d146015fd43701b24b251f578cdc0bc80f8def49c8e11ae62507d27e72f828de59e5febe9d536529b6909b468017bf84290024c473fbdf1009033eee613

    • SSDEEP

      12288:MMrTy90dPfu4WPWrxaR0NjbOA1CjmW60UIp/MReXe50x3q5VJmT3di63ioxNq1j3:vymhrMQbDgV60UDeXo0TTI63wFGFM

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Tasks