General

  • Target

    tmp

  • Size

    1.7MB

  • Sample

    240204-j6wylafebl

  • MD5

    a615f2eee64c5d7449a8792cc782b6d6

  • SHA1

    cf1dff4fbbf172c6870c30fc3784bdbd53d49a69

  • SHA256

    4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

  • SHA512

    9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c

  • SSDEEP

    49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

C2

185.172.128.33:8924

Targets

    • Target

      tmp

    • Size

      1.7MB

    • MD5

      a615f2eee64c5d7449a8792cc782b6d6

    • SHA1

      cf1dff4fbbf172c6870c30fc3784bdbd53d49a69

    • SHA256

      4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

    • SHA512

      9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c

    • SSDEEP

      49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks