Overview

overview

10

Static

static

3

1544dbca0e...91.exe

windows7-x64

3

1544dbca0e...91.exe

windows10-2004-x64

10

⠨/start.vbs

windows7-x64

⠨/start.vbs

windows10-2004-x64

⠨/temp.bat

windows7-x64

⠨/temp.bat

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1544dbca0efc2c0105dd7d52a21a8891.exe

  • Size

    364KB

  • Sample

    240426-a3c7msge76

  • MD5

    1544dbca0efc2c0105dd7d52a21a8891

  • SHA1

    7fbacdb27457829215cd182eab0a4e4bb4379648

  • SHA256

    d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970

  • SHA512

    2b5cd7536e41c53d6538302c7c8b471e3a5b94926d50833c09c7e737659b8bba4c33ff02521502c90c65c11fea406a05323ff05f4fc529e54d7517653bc9e471

  • SSDEEP

    6144:1fL+oqZLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLW:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLu

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

5.42.92.179:18418

Targets

    • Target

      1544dbca0efc2c0105dd7d52a21a8891.exe

    • Size

      364KB

    • MD5

      1544dbca0efc2c0105dd7d52a21a8891

    • SHA1

      7fbacdb27457829215cd182eab0a4e4bb4379648

    • SHA256

      d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970

    • SHA512

      2b5cd7536e41c53d6538302c7c8b471e3a5b94926d50833c09c7e737659b8bba4c33ff02521502c90c65c11fea406a05323ff05f4fc529e54d7517653bc9e471

    • SSDEEP

      6144:1fL+oqZLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLW:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLu

    Score
    10/10
    redlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      ⠨/start.vbs

    • Size

      170B

    • MD5

      65ee9f906fdefca9b4a6a21581dd849f

    • SHA1

      b372dea5a9b9a99311445a55b634aa8f6c1d7b9d

    • SHA256

      087f43e7f9f78bbeb1050cdbfaeb3d23ad7b4b742d6ef91229b8824a20daaee6

    • SHA512

      1f593864f52ac61f7f4ef2aa1bfcf538dd2833e53bbd931f96c42b2ca90d2bf68545fdac547f0f3cce09ad7734acdb629bf642081227a996d3d22117263ad23a

    Score
    1/10
    behavioral3behavioral4

    • Target

      ⠨/temp.bat

    • Size

      318KB

    • MD5

      36b4c4d03ab02764f2e47e30dbb6c71e

    • SHA1

      e334f09316c3c468edc1b2002f18aa886324c1fa

    • SHA256

      c94456d2617c5624a7feb6c47d0c0ab0f44efecb3f5b17f38e79aeb915f3d883

    • SHA512

      be8b27f19a223b422b0c9bc3eeb775da5595570988b5d8fee0856c398ab0befcd6c9e86d75483afbe5f8b938278fcfc9f3efac2fd8a25fbf55e213a56c34860b

    • SSDEEP

      6144:hSDgBmX4h5x6Q6cPCGUFn6uXzcKZuzVLyFBnPfWjD/DoEMs:bB5uQ6uiJXzcKZu9MlU/kTs

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks