Overview

overview

10

Static

static

3

149cd41e04...01.exe

windows10-2004-x64

10

224cc5582a...c7.exe

windows10-2004-x64

10

2489ba0556...26.exe

windows10-2004-x64

10

24bb66f25f...0a.exe

windows7-x64

3

24bb66f25f...0a.exe

windows10-2004-x64

10

3ec1481872...d9.exe

windows10-2004-x64

10

628eb5e58d...90.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

77b8709187...06.exe

windows7-x64

3

77b8709187...06.exe

windows10-2004-x64

10

94a701520b...a3.exe

windows10-2004-x64

10

d9d3f90c8c...39.exe

windows7-x64

3

d9d3f90c8c...39.exe

windows10-2004-x64

10

f02b51da6b...9b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11.zip

  • Size

    3.9MB

  • Sample

    240513-wa5l3sff4z

  • MD5

    5830ae81b6c9d19f7348a03269a38e6c

  • SHA1

    3f1072570038f557495078a23dcf4c291f1511c7

  • SHA256

    ca441cc9e69c9106b68d24f81e5bfa4a6cccf701fd348d0f609d13e02e80e122

  • SHA512

    948eb9bd0d0024b62370af39485bbfbdce3f601dfd1914450f1fc4a456afe6f584bd42962b71b2315a1cf6752638e87a99164e8f0808bfb507f1ea51e51dfb26

  • SSDEEP

    98304:1CH9WeGcOGNdTndHxrrY5XNFtrRRPY5XyX+SR5LEObb:1S96/oFdHNqFRRPY5XmRRWObb

Score
10/10
healerredline53459874207001210066@qwerabusedebromixadiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Extracted

Family

redline

Botnet

@qwerabuse

C2

45.15.156.167:80

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      149cd41e04afd54119c40358aa55b0d0de72a8c1e612ff1d1d4d79ab20ba8a01

    • Size

      488KB

    • MD5

      d2baad5181035b853d37213e96ab5cb0

    • SHA1

      ea7d2a47054b24b4c3f9569f6440e241448696c2

    • SHA256

      149cd41e04afd54119c40358aa55b0d0de72a8c1e612ff1d1d4d79ab20ba8a01

    • SHA512

      074df38a24e951caa6f69cda76683bcd9058e0ff87406a96f8d18a95998484a55e3401f89c59f28ffe029fcf581f028e40da8cf0d24deef53b1662539df3e291

    • SSDEEP

      12288:CMrOy90tPjCZopOsfm8DfbuusCN3Tv1lpqokW4md:Yy1A+8DdsCR1/FkW4c

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      224cc5582a9ac886fdd93fbf84f5c94ce0cbf206de2d7defc6c50dc8e03974c7

    • Size

      488KB

    • MD5

      c970c0f3c54d3b026f962562c9c31562

    • SHA1

      2726deeff32a0c3d297d80e27f0f2bb9347ed051

    • SHA256

      224cc5582a9ac886fdd93fbf84f5c94ce0cbf206de2d7defc6c50dc8e03974c7

    • SHA512

      fe5098ddd3804fae377bfefc852ee66d9d478854daec8d40547ce1f5b6dcb76db5d83e2d24902a7a63e034f6ede8f2fd37106adc77cdabdc73419de893012395

    • SSDEEP

      12288:JMr7y90GoBdBgIjV9jZIHS494fEgp7IMwbj/8ymW:CyOBdJV9ji8fL7IMMj/8ymW

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026

    • Size

      316KB

    • MD5

      882d286f0c6f245572eb0481657d90db

    • SHA1

      21e9879f7ccd03b084bf8376a7facdfb03ee1040

    • SHA256

      2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026

    • SHA512

      d4936c477106ed874097dac7c040bf8db82fe942771c654c30d7d6e427588bf5eb1c0d00db75c03c588de20477db426d3651deb8776f30a5176f46238bf702e0

    • SSDEEP

      6144:Koy+bnr+jp0yN90QEq6vZrMgX3eYK41E8OBURKaJCd:wMr3y90YmN3rKWOmEawd

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      24bb66f25f5846f5ea1f67380d2e9e03d5b0407a21b48ff5b74ad88f86154c0a

    • Size

      208KB

    • MD5

      cafa54d0f7116e1325925205a0e8229a

    • SHA1

      a698fb6c82c6d3e2e015eddff0daf5be03387c08

    • SHA256

      24bb66f25f5846f5ea1f67380d2e9e03d5b0407a21b48ff5b74ad88f86154c0a

    • SHA512

      4d0807a5e5b7bbfe5efdb1ad0bb62f1fe207f6e588f2647bd762bf6e4e06966e483cc8ea193f6e9d5ab20cbbba5ab247544e92d52afe346c391c172cfa09bfe7

    • SSDEEP

      6144:3FbbHh7i9t/DXyR3T7SmHPIl09jkugp+spq:3JbA9JDCR02g8spq

    Score
    10/10
    redline5345987420discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      3ec1481872e34c0f6b2c41f3f178fb42c073b52fa885bcf975535f131944bbd9

    • Size

      488KB

    • MD5

      ce979609d69a348ac7a39b4abef5c446

    • SHA1

      95baefc94c34cfc8fc3e7d02b1bb12a23cf95b8a

    • SHA256

      3ec1481872e34c0f6b2c41f3f178fb42c073b52fa885bcf975535f131944bbd9

    • SHA512

      82e639fc3c48584ebda03c2974a1a6fdc7415eb0547733dff9a682ac199927b095f755e7f407c3a9f9ccaf0aad678104d84d4233750c72daeccca552e6f9c42e

    • SSDEEP

      12288:QMrjy900RuFvquqgly2mPzKlOUaaA9qiTGAb0XL:jyHu9qXXUaaAJb0b

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      628eb5e58da922f1ec2c7e11dcd4c6cabba8c691205bf118898876a7c1231c90

    • Size

      488KB

    • MD5

      ce17138e84e3d3fb7fc10266b95ee07f

    • SHA1

      a89d73b42ad44a70c349dead2f0ad47043a75266

    • SHA256

      628eb5e58da922f1ec2c7e11dcd4c6cabba8c691205bf118898876a7c1231c90

    • SHA512

      08c4e34ed1059ae3c8909ad4eff1f642c02c75181d49fc10a8f3485df3eb721ad128599d2edf4ddcd3310d1b0f1a4e6cd656af55152e8cb0238d03918eeb4f0c

    • SSDEEP

      6144:KNy+bnr+ap0yN90QEoR2wkWcnZNDQR5T0FONdpmOQN/5WjWYNiPma0AqSeF16iXo:/MrOy90C4ZFOpmvsVx4feDpVNnJA2Di

    Score
    10/10
    redlinemixaevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

    • Size

      308KB

    • MD5

      d5f61fc6a8c52e0a93619aa88abf0823

    • SHA1

      e8ab904b74f798424102a1739f810f09f1987d60

    • SHA256

      6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

    • SHA512

      3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f

    • SSDEEP

      6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8

    Score
    10/10
    healerredlinedropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806

    • Size

      1.2MB

    • MD5

      d1e1389d7394ab7fd98f90373af3c315

    • SHA1

      b64dc6b0be03d27fc358ce333fbdf56eab28447b

    • SHA256

      77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806

    • SHA512

      0399874bcd6c22dbc7813a0284bed230d3c9bf6100e47b3674d4e623608da032b2583c78e0292b7d5344e0d0841074d69f55a1682946fa04b164ef944c6bde9f

    • SSDEEP

      24576:jqhdhAS3onZANlQWEwhv8Pu7CRydP3B0IyIV62:jgponZANlQWEwSyCRydP3qI1V62

    Score
    10/10
    redline@qwerabuseinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      94a701520b1541ce168a4e497a826d85bec77dc049bdd7de9e4665fd8ccb7fa3

    • Size

      316KB

    • MD5

      d471076bfb9f30f64ac99bfe96c6ced7

    • SHA1

      e89e8ccc76693986411584e5195ddfe6ad8fb5e7

    • SHA256

      94a701520b1541ce168a4e497a826d85bec77dc049bdd7de9e4665fd8ccb7fa3

    • SHA512

      5262eaf6b6b5634ebd1a397b4f5256c48fc875292cb0d0784bad47fdf76676e4c3881441f9dd998203c133d970aae8738ad4663fc0f54be2258595fc25bf3066

    • SSDEEP

      6144:K/y+bnr+tp0yN90QE56vZrMgX3eYK41E8OBURKaJOf:BMrdy90/mN3rKWOmEaMf

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • Size

      315KB

    • MD5

      cdff25efc7f7e69dc426b36f31b873ed

    • SHA1

      339a84e0af5d6442c2b11eea5f802635cbc0c776

    • SHA256

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • SHA512

      f1ca99cbe6e504d5e695ccb31dafc3b8b4e01faaed77d3058163011add4a47159ba4629e98b422145cefbea0dc07216e5c36837545911f800378f636bf700fa3

    • SSDEEP

      6144:aH9pI60nbM8uPZy3+8KIDwZuNVXSZmn3qPOYTn/MHBXHS:e9+60nbnujZaMY6pjGHS

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      f02b51da6b6ee268ba4e404af6561d6ba14b5517acb7a394deaeebb29740329b

    • Size

      488KB

    • MD5

      891f6632cb79d1a9f0c188bb814ddf7d

    • SHA1

      4997b9b5b1a5e6deeab98e624c86e3b3169a14f8

    • SHA256

      f02b51da6b6ee268ba4e404af6561d6ba14b5517acb7a394deaeebb29740329b

    • SHA512

      dbc5639275d774c895a31d6426755931e5d7adb3ba53a0a443c4688f80bd74b1ef772697c0e5234aafea1f57658a1bcb850c4f4273990de5e575189cc0df959d

    • SSDEEP

      12288:6MrXy90wdCHRMJriKLzKlOkuagW50P60q:RybdCx0riKnkuagL69

    Score
    10/10
    redlinedebroevasioninfostealerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Defense Evasion

Modify Registry

23
T1112

Impair Defenses

14
T1562

Disable or Modify Tools

14
T1562.001

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

redlinedebroinfostealerpersistence
Score
10/10

behavioral2

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

Score
3/10

behavioral5

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral6

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

redlinemixaevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

healerredlinedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redline@qwerabuseinfostealer
Score
10/10

behavioral11

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

redline7001210066discoveryinfostealer
Score
10/10

behavioral14

redlinedebroevasioninfostealerpersistencetrojan
Score
10/10