General

  • Target

    Electron.exe

  • Size

    4.3MB

  • Sample

    240303-tasleadb64

  • MD5

    a8f603a99aac807afb52d5fbb274798e

  • SHA1

    864f85d0ace0c6bf9cdb99c39caebdc7118d3cbd

  • SHA256

    7e9c0ecd6e0b3441af7df4aec555258bed5eb0355495ec55fa0ea7114ba355ae

  • SHA512

    9f2b5919b8f7f6b47eac5657167cf194751a1e6105ea0dd81b0a1cd88bf210e99d305c6a31b3c28beca17cfc197feb468ae9d1cac6af0dbcabdad3e79e7f85d0

  • SSDEEP

    98304:xMD32eCD/Z1aPgwmJiTus9cxGHTov8+D6i0x7ALf1fzRKvg:eD3jCDrggY9cUzC+Hx7Ar+4

Malware Config

Extracted

Family

redline

Botnet

6123951210

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

gozi

Targets

    • Target

      Electron.exe

    • Size

      4.3MB

    • MD5

      a8f603a99aac807afb52d5fbb274798e

    • SHA1

      864f85d0ace0c6bf9cdb99c39caebdc7118d3cbd

    • SHA256

      7e9c0ecd6e0b3441af7df4aec555258bed5eb0355495ec55fa0ea7114ba355ae

    • SHA512

      9f2b5919b8f7f6b47eac5657167cf194751a1e6105ea0dd81b0a1cd88bf210e99d305c6a31b3c28beca17cfc197feb468ae9d1cac6af0dbcabdad3e79e7f85d0

    • SSDEEP

      98304:xMD32eCD/Z1aPgwmJiTus9cxGHTov8+D6i0x7ALf1fzRKvg:eD3jCDrggY9cUzC+Hx7Ar+4

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks