General

  • Target

    2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe

  • Size

    402KB

  • Sample

    240511-bkf19afc92

  • MD5

    f02798ba573318a4ba1bb6e39c45ad5c

  • SHA1

    9b81fd616e27b9aeca4a5a42775df026da28f557

  • SHA256

    2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826

  • SHA512

    de15b3b67063359bad041e87e1f16029775ca16d2199b2284f3b3039c11f704f208fc994f1383aa7704a7c01544e87aba7c796c407c40c8281ebd607212f2385

  • SSDEEP

    6144:dzOa82gO92tYhBOl+vCit0Y0d0ggOl3yinIvSC9dRuJSo+2Aymo/un7pespk:daaR9wYhYiCDQKIvZ1uJSo+jjoS8spk

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.77:6541

Targets

    • Target

      2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe

    • Size

      402KB

    • MD5

      f02798ba573318a4ba1bb6e39c45ad5c

    • SHA1

      9b81fd616e27b9aeca4a5a42775df026da28f557

    • SHA256

      2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826

    • SHA512

      de15b3b67063359bad041e87e1f16029775ca16d2199b2284f3b3039c11f704f208fc994f1383aa7704a7c01544e87aba7c796c407c40c8281ebd607212f2385

    • SSDEEP

      6144:dzOa82gO92tYhBOl+vCit0Y0d0ggOl3yinIvSC9dRuJSo+2Aymo/un7pespk:daaR9wYhYiCDQKIvZ1uJSo+jjoS8spk

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • UPX dump on OEP (original entry point)

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks