Resubmissions

22/02/2024, 22:32

240222-2ge8nafh6z 10

22/02/2024, 22:29

240222-2d8qssfh3z 10

General

  • Target

    file

  • Size

    311KB

  • Sample

    240222-2d8qssfh3z

  • MD5

    c054341c513257d659120228b1e3d30e

  • SHA1

    e1bf5a000b44f527907b247ce4961ab3273f8be0

  • SHA256

    58198729491613457ec265253ecfba24b60f5d7a5de3fcf221bf74c8b4415dbe

  • SHA512

    9956d146dbb739298972eb7b55d6757b234b19b99e5aab7fa9e3cd2c6a5fb4b64f983c5ffcbd56f6ffdc1463bca7d4fc1725f7b377e430ff0c862e8ec593a8d2

  • SSDEEP

    3072:Ai9gAkHnjP/Q6KSEy/rHuPaW+LN7DxRLlzglKDiAj:NgAkHnjP/QBSEYOPCN7jBDiAj

Malware Config

Extracted

Family

redline

Botnet

@lipy4ka

C2

45.15.156.167:80

Targets

    • Target

      file

    • Size

      311KB

    • MD5

      c054341c513257d659120228b1e3d30e

    • SHA1

      e1bf5a000b44f527907b247ce4961ab3273f8be0

    • SHA256

      58198729491613457ec265253ecfba24b60f5d7a5de3fcf221bf74c8b4415dbe

    • SHA512

      9956d146dbb739298972eb7b55d6757b234b19b99e5aab7fa9e3cd2c6a5fb4b64f983c5ffcbd56f6ffdc1463bca7d4fc1725f7b377e430ff0c862e8ec593a8d2

    • SSDEEP

      3072:Ai9gAkHnjP/Q6KSEy/rHuPaW+LN7DxRLlzglKDiAj:NgAkHnjP/QBSEYOPCN7jBDiAj

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks