General

  • Target

    red.zip

  • Size

    40.9MB

  • Sample

    240514-g3k1tade3x

  • MD5

    8d6d14a66b96ddabfe7ad1ca6d96350b

  • SHA1

    b9da7120b47a59d36c015d36bf2c0f2b92aeadb8

  • SHA256

    d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39

  • SHA512

    2a5214bb52069774d9fa0577ee0680b4017f0bb9d1e839db72d9f9dee17b04d48363e674ebf84bea4745b23960c0d64d0f1698d6310940467dcd1680756af2fb

  • SSDEEP

    786432:8aiC+Jcm1wKfVUNE9ymh2oJAIdoD/goa/ooRm3L1o6GqUh9q4p/aXZBJbQW:ECb1ukE96oJVea/HRmb1VGqUvViJh

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes
  • auth_value

    a5db9b1c53c704e612bccc93ccdb5539

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

stealc

C2

http://147.45.47.71

Attributes
  • url_path

    /eb6f29c6a60b3865.php

Extracted

Family

lumma

C2

https://smallelementyjdui.shop/api

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/NgsUAPya

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Targets

    • Target

      0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440

    • Size

      1.2MB

    • MD5

      79ddbf3796474af496fb1439c5eebc2d

    • SHA1

      a19adecb0ac26f08d575309fdd4a9829af0b4a2a

    • SHA256

      0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440

    • SHA512

      49b2ee4594692e531e3f562584462b73c74c876267fa20c4207fac6fe2de9960cf1d102bc16a41b2f4320bd6a02cbb84d3516cf00f7feca6c57cb06811b4aa99

    • SSDEEP

      24576:SBXCi7JIK8li6v93OhlvTMsY5BeDMZGxZYLrbdjxpl10s:SBSJli6v93OLicsjpus

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba

    • Size

      307KB

    • MD5

      7ca7c1a1e3520b42ee24d3b82c215022

    • SHA1

      1b2394ce0934a55e09f29874d70a41f80943608b

    • SHA256

      127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba

    • SHA512

      0e115f5b0af7d7dbced850c883ef63fcac7bf4cef8d7897c9dce247ff0220e2c3273a0ce57ee426487276fdc85ac6198f83d7123576320ca4083ab5ad85c5feb

    • SSDEEP

      6144:K+y+bnr+Hp0yN90QEqUHh4HZn7Erx2br2JpeFfX0vCk0uqo:SMrny90TH0gsbrOAfk6kFL

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde

    • Size

      33.9MB

    • MD5

      8bca5e8930ba6be4bd9ba59bc4d2f237

    • SHA1

      bd7a540af2662707c7b02871efea7e84085129fb

    • SHA256

      138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde

    • SHA512

      26945f56dc71ea5d3e5359202bc2098b23e31ad4fcf4a3fbdaade2aee2d2e50cf945c884bdf94dc5d949f14770d9d15dfc442cb58e0f50e368f58b3b923fafba

    • SSDEEP

      786432:b3yJy4bYpVyTO9NQAR29u1ocoMnTtXTzr6vmU5JaYmZJR:LyJy4sjyTuNQN9aocoqJXTz2OSaFHR

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4

    • Size

      945KB

    • MD5

      79a50ad43658e487f370e2efeddb8391

    • SHA1

      755011c959efae47576d0091bb84c5b3649fa78a

    • SHA256

      3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4

    • SHA512

      06f3841817358434fd5ad878287f62b5ccf02c2b8b4f23b25df4eddd5afd832cf1e0ae1fd76b6881a91a729304bbdc4494d4ee05fdfcfa84762ce4a0c0760971

    • SSDEEP

      12288:Tm7Ry90ebn/kwazqpDnNaHVBicWKJkc3Y7uRU2L1zmhYae+7YSF5jFLYnP5umJ9/:synEqpxTVikc3HRZL1mJEqLuBumJIx6

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4

    • Size

      332KB

    • MD5

      17c66b0d4e0365acb6ae8471066f11ee

    • SHA1

      b110e57ad1e2c4d59709a733028dc9dc78244899

    • SHA256

      5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4

    • SHA512

      9d7ff2c650cb283a0857707d8079f094c6d82dc0a483a01c6579fe902c7e19d5de64b2b72aa2a06402cdfda283911759013f3dae03a10ab723d851065cc75052

    • SSDEEP

      6144:blZwB/LgLN340nTaDpOU7riHRkygh37YwmL6ewFKbTm1OazSI+0Xp:bnhLN340nTP+ygB7YwmuTE3mhw0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb

    • Size

      976KB

    • MD5

      79676a5685abd3075d9225e1252fef08

    • SHA1

      44ebddbfb301be20aece75ec8837789fc5a116e2

    • SHA256

      6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb

    • SHA512

      067c5f880c381839135a53a2221afcf405f6c1a3267fcc887ee7786a8bb85c021e6d55ebb95ccf0ff4aae79502c28b30fc74a47279dab080315cc8d68517a36f

    • SSDEEP

      12288:ZDGmkvQuIvpbmlbqYfMG7kiinXHyOWEtggrKE+eJlmuzYj1p8OzEnVWO:IzIvpbmUYfMG7I/btggrrUxEnAO

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61

    • Size

      1.2MB

    • MD5

      1a8a91c41fbdc6ee93cc46c3f734ccc7

    • SHA1

      fadc036ad42baecea7804bd20440a69bd7cee491

    • SHA256

      8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61

    • SHA512

      3cf0ccad0bde2673352baeef3777e102469ce31424034137041987112a1314ad410e7617886914cf8febd3ef2a7f9d7b5cb717236581fda0b9555665c2d53fed

    • SSDEEP

      24576:BmBaiRH28+VLmn1zWVrWhMs2ehVDWsK+t3h5mTdOs:Bm8XVLmn1zW4VSdoWdOs

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62

    • Size

      1005KB

    • MD5

      80766f346a1033b1abfeeabc7180a880

    • SHA1

      2568f835441d53bc785a4ddf8537814826e3d064

    • SHA256

      86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62

    • SHA512

      029d53c19dd434b410eb61158e8a653c3d3725b50de9e5bb7dd766baed93a37574b3171509ee7e968d18158d89082029e74881630fb852c37b305053ec5c87aa

    • SSDEEP

      12288:VMrry90H6OndYa8eQHWFiUDhbkYuuDu6rtRHvb6sCIoxV+pY62N7198r3GJnWIi:KypOnDiU9Pyyhj6sUx+07cSkN

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e

    • Size

      307KB

    • MD5

      a28b1e892c10ba5e054b20faf5519263

    • SHA1

      d9988318cdfbb97edaa2712790cc35f3181ff7b4

    • SHA256

      8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e

    • SHA512

      fe5ef2074e8f98a066568c6ecd35bae22a556c41f5546820b1e078c0e1fe5458b15e422b9cc4c8459d307e50a0c28b9256c497f47a9fdf5e6aa6de2496c5f3e0

    • SSDEEP

      6144:KHy+bnr+Up0yN90QENoHmzPipcmKTbP5NuW5IEj061PG:dMrMy90AHePHRT9NRI4u

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04

    • Size

      479KB

    • MD5

      869d623180dff73397b5f34058e106f2

    • SHA1

      1af73065d328029ee3d82ddd8f625ad3a9d9bcff

    • SHA256

      9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04

    • SHA512

      bc8a1c93dea8662be47d3737435605efca351a80803e3b41f71da9914153eb0c320d572085e1b2671875951c3311634beae8002e984c1a69f7e98a7258c90498

    • SSDEEP

      12288:NMrLy90WwlKPPzKp3NwVDYy0GqUI6TJ60b:Cy0eLqNwVDYBG7IuN

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0

    • Size

      332KB

    • MD5

      1ca532db776dbb27e5a6fcbee57de507

    • SHA1

      4e4e348a558dd67d25b6b74fb10716a341ed9e22

    • SHA256

      9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0

    • SHA512

      865c63487816ec1d44fa10f45e29807e18de7d23d6062ca8c4000626d685948ac12c08f3fdf0d5e5c1bd84c8d89f096465ee7a3b7d2114ae7c9887e307eabf1a

    • SSDEEP

      6144:z3Lw7HV0BJJoa1L+ZBYo5+fR+yghj6Q5KBoxBG9jA4Su7xiKgW2+0Xp:zbBBJJoa1LfSyg5lKkujsu7QKl0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea

    • Size

      372KB

    • MD5

      7fea6ee2fa2a48b8b3cf29be33437d43

    • SHA1

      01eb4c37f826237968eb0a4a1d321480ef018fb9

    • SHA256

      a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea

    • SHA512

      6c2c96efd3fcbf0da5f575315aa3e963a3639807669a8403a1d1ffa39ba7f3a569394499393b08c264ebd158d7c71f5678b32fe14dedc57aa05b415bf7e87684

    • SSDEEP

      6144:nlJwRf1g7CH4k3zaz84Je0L2HRAyghfFSKwpQ33fps211Nq+EiAPI9U5+0Xp:nX77CH4k3z28jSyglFm6s21ymtB0Xp

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a

    • Size

      332KB

    • MD5

      187d281b7f99aaa9958e8fd2a3ab4ca4

    • SHA1

      4154b6a67a62d0fd8c15c681307658061b08d820

    • SHA256

      b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a

    • SHA512

      c7b432d26a86ddd0f7304f9e3a8fa9c3ff26d936210cba7645fc6a3edaccd38ef05f62540ad29fee8ad12c6838dd948dab5ce30620246badf1ea447519688ad7

    • SSDEEP

      6144:+lZwB/LgLB340nTaDpOU7riHRkyghKxWYc9GkbV9hP1l/F+0Xp:+nhLB340nTP+ygMxW9pzhPo0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a

    • Size

      479KB

    • MD5

      1f9ac4a621d3726993ba2f185215879a

    • SHA1

      e412c6fce79cee62a7b2c806be2c85c1386010a1

    • SHA256

      dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a

    • SHA512

      9d6dba40bcb85fa4209ac33f45c1c2b36e714a3438827f45effb3fce1f8110e2b015ee5d6df9d80afa9baced1af0dd486e14ff6cd2c30cbf67d9e705f6802be1

    • SSDEEP

      12288:RMriy90lIiKadmmqiVkFpziI3NM0oPiiimcr:DyEZKIzoZNM0oPii/W

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05

    • Size

      1.0MB

    • MD5

      1f3bfca89128252b6de8c902012971bc

    • SHA1

      3a96d92e2d30c786e55434238ef987bedc1381c0

    • SHA256

      ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05

    • SHA512

      b0b72f05bd8532806f39445c403adb3018609d4cc3db870f6a0314452272c0dc23885a708acb5c1cc25fb191451cd14fcd66288c63af78b77f53e2096fc18153

    • SSDEEP

      24576:7yTRVpYQYJaiLEA8vrRIBOsE3BcTpa4q+qlfApDerAV8:uTRVpRieIBOfcTpqhJGGA

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3

    • Size

      976KB

    • MD5

      1d6ed788c4432746e683db0fa5d4b441

    • SHA1

      6fd5fdedf740667fcf8f70a8586ed498d5f10b52

    • SHA256

      ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3

    • SHA512

      32ddb59adf493537c4b074e18a5c5684b5c714503d463c69b352fde37cfb98a3f4327c789d848951973476f38c80a3867b634a7364baf3bcf2c16cd351a1eb30

    • SSDEEP

      12288:ED/mkVPvnuUYmlbWIXcWzMjAcM6RYbyOuEtggbuzUB7ntu7YjDeDGiXq8h1+JdFP:Y3nuUYmYIXcWzGAcO/ztggbBfS29F

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Scheduled Task/Job

1
T1053

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Scheduled Task/Job

1
T1053

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Defense Evasion

Modify Registry

14
T1112

Impair Defenses

6
T1562

Disable or Modify Tools

6
T1562.001

Credential Access

Unsecured Credentials

13
T1552

Credentials In Files

13
T1552.001

Discovery

System Information Discovery

6
T1082

Query Registry

10
T1012

Remote System Discovery

1
T1018

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

13
T1005

Command and Control

Web Service

5
T1102

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

lummastealer
Score
10/10

behavioral3

redlinedarminfostealerpersistence
Score
10/10

behavioral4

persistence
Score
7/10

behavioral5

persistence
Score
8/10

behavioral6

Score
3/10

behavioral7

redline7001210066discoveryinfostealer
Score
10/10

behavioral8

Score
3/10

behavioral9

redline7001210066discoveryinfostealerspywarestealer
Score
10/10

behavioral10

Score
3/10

behavioral11

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral12

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral13

redlinedimasevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

redlinedimasevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

Score
3/10

behavioral16

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral17

Score
3/10

behavioral18

stealcdiscoveryspywarestealer
Score
10/10

behavioral19

Score
3/10

behavioral20

redline7001210066discoveryinfostealerspywarestealer
Score
10/10

behavioral21

redlinedimasevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral23

Score
3/10

behavioral24

redline5195552529discoveryinfostealerspywarestealer
Score
10/10