General

  • Target

    22cee31b95cb8b6a767419a460aaaeb0.bin

  • Size

    367KB

  • Sample

    240503-bdd83sba6v

  • MD5

    3e3c0ffed3d8d72f5087d9f816b39ab1

  • SHA1

    2fa8b532bf0477269c2d71df10e4ec55616eef6c

  • SHA256

    08ed7d9a67d978f530561ac1fedfd8fe61bccd3b8800fc15200895971c46ad8b

  • SHA512

    e2ca2793907bdf701c7cf5520018dd7b8b9e3181f9baeeac0e01aa477d55f6473f3e7988794e19f8d970c514de09652ecf8933c29621c0f592e3f031cd22b15a

  • SSDEEP

    6144:BfUjlakOlJrl2QXsva18pPevyud1bGP5TBaKc/zpZOuqq73FWIVQt9HJHg/:dClFOlJgQ/4PGyuMTYKaZOuqq7VDy9HW

Malware Config

Extracted

Family

redline

Botnet

@Felnan32007

C2

45.15.156.167:80

Targets

    • Target

      95ac18eaf1a56e84bb1fdbe10c0f06fff91ce808d45a9359047bdb7267ec8235.exe

    • Size

      10.4MB

    • MD5

      22cee31b95cb8b6a767419a460aaaeb0

    • SHA1

      0c5c38bd43b0e2a739ec7a75f53d829b7f9f99fb

    • SHA256

      95ac18eaf1a56e84bb1fdbe10c0f06fff91ce808d45a9359047bdb7267ec8235

    • SHA512

      3caae26df9b971a72ad1f904aea02279e3550ec4e5f58ef3ec6dad6db3c35ce9cda6d28d06030aa8cd64fa84dd57a70df59db5884dc22e255cfd36f9a77f8f2e

    • SSDEEP

      6144:5n/Nq7BfxS++CICXPcxK0sdyCJoe2WdD4tGPFO9XMH5KJaRHdZQD:5n/4Nfr5xjdyCCWJ4toQY7WD

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks