General

  • Target

    582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.zip

  • Size

    11.2MB

  • Sample

    240303-sb844scg56

  • MD5

    b48efca797e957f62154f5cecec71b49

  • SHA1

    2af1600a575ed2e65933a9f5e30c869339cf1bf6

  • SHA256

    c44c1e7f26b17b74b3650e6e728d02d4c1540fb9343ba49449bccc24d414a232

  • SHA512

    0dd1b1d4e470d05b3db09479694178073fb3c11522d8259feb059d33db0626f9f730465b66109e22084b59b5c84d050a61229c01c6c8102190b2ea0a894a5649

  • SSDEEP

    196608:66c7VWQMK2oaLNtEOcw2k42jjvh12TmdQY5LzvId2Gs+XrHtmwN8L5luX0t4M63R:66OVWc2oaLNqwm2j6T0zQQkBv8LCXRMu

Malware Config

Extracted

Family

redline

Botnet

gg

C2

67.203.7.148:2909

Targets

    • Target

      582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe

    • Size

      20.9MB

    • MD5

      2e501240ec8b9aab46d76a6504e44882

    • SHA1

      1a97d7662e66502faa5a7718565bb362eb6f27bd

    • SHA256

      582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00

    • SHA512

      eae4aacbfcee43ad8f9b2acbddb1b3b71c2aec0064bc6605107eb8b254614361c77984d09e7eabb91fc26634822ac448d8be884dd8f174021c52979690c2f97b

    • SSDEEP

      98304:Kj1ZAxOCU3yUetDvB6ti3FOU8jRdqY9d2omTt20+NVZ:mAxOCU3yUetDvB6ti1aOTtlcVZ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Tasks