Resubmissions

23-09-2023 06:20

230923-g3294afc74 6

22-09-2023 09:24

230922-ldawrshb83 10

21-09-2023 15:40

230921-s4gwbsha8z 4

19-09-2023 16:03

230919-thpvgscc79 1

19-09-2023 13:37

230919-qw5w3shc6s 10

19-09-2023 13:25

230919-qn8yrsbc63 10

13-09-2023 11:47

230913-nx8m9aeb62 4

12-09-2023 19:11

230912-xv98qshf86 10

12-09-2023 19:03

230912-xqr7cshf46 10

12-09-2023 11:47

230912-nybd5sca41 1

General

  • Target

    https://google.com

  • Sample

    230919-qn8yrsbc63

Malware Config

Targets

    • Target

      https://google.com

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks