General

  • Target

    red.zip

  • Size

    8.0MB

  • Sample

    240515-f7da4abf35

  • MD5

    08d73729db85b5fcf996d5b14fb85af0

  • SHA1

    f31955b85cf90c03fadb89497ca0f51f8da7f94f

  • SHA256

    36a33e7da8ad27ce449d6bc53c6ca650bc283b8f96d5fe797187aea40e0dcc68

  • SHA512

    d5a67e0e22c30d316125d43ea79c41601f0ada96de71ab137f3790e147ee193fee5e02a4f062faedf7e8a4489606cf0f81855c3c269289fe6822beb3676e0f46

  • SSDEEP

    196608:8D4iY/n9u/N8wG5QgXn/CaoEwXUJOtAA+LS7DyS8P3Srf:f/ncV8ASqCaNtQiwP+f

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes
  • auth_value

    a5db9b1c53c704e612bccc93ccdb5539

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes
  • auth_value

    8f24ed370a9b24aa28d3d634ea57912e

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

@deeqsio

C2

45.15.156.167:80

Extracted

Family

lumma

C2

https://boredimperissvieos.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://sloganprogrevidefkso.shop/api

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

https://smallelementyjdui.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/NgsUAPya

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837

    • Size

      876KB

    • MD5

      cbb4108b51ced31cee714f2b6ad2379f

    • SHA1

      997d33ef7a7c427c7ddf6f6e602e344aa8921049

    • SHA256

      100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837

    • SHA512

      ddd69d3b12724a9872433b63f39c7a3dac9c0b0687d5d08bfe04da05d7f89681af1b0ae05e886fb2ce8c89d089b62f145d79aaab4874f08da5525df2a49c1429

    • SSDEEP

      12288:bMrMy90R7CQPeL/WMx8cSRmr8fXzw8ZPahvKGf6DMARjFlsMmSIOFMopKDD9VJ5Y:PyrRmU+mvVARJlbIY7pKDd0+Y

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      14e92d75842bf0e1bcae35adc805c07925a4a6d97655b90182b6147b5efbaffd

    • Size

      523KB

    • MD5

      6cd6b5811846dd00cbb4a5f3048d164d

    • SHA1

      92ecb7a8fcf6ab701548c8d69fdf331ffe24c20c

    • SHA256

      14e92d75842bf0e1bcae35adc805c07925a4a6d97655b90182b6147b5efbaffd

    • SHA512

      e125311c3fd8a6fe573a945c1301dfb1996788fed1d48c293331a31c52e2d183403f8f7a2f258eec292a0b9913705428c58948a6e500c39b0b5946e75289a439

    • SSDEEP

      12288:AZ4uNyEfgpt6yg1atRqj1SjvvM9iOrCc/AMN3JJb2C0Xp:AZ4sfgXQ1Sjs9iOPPhf+

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      228c35043919b5a4d810fd11dbb1b9646333aa6e75788617e4cc4ac41ab07a1a

    • Size

      1.2MB

    • MD5

      70c96bf7fd8b873fd3d55511a01b38fa

    • SHA1

      84fe856169f0018cada3ecc77b9afcbeef830459

    • SHA256

      228c35043919b5a4d810fd11dbb1b9646333aa6e75788617e4cc4ac41ab07a1a

    • SHA512

      0c8bdbd699dcfc757302cbec0cd7a0f1f97f1061eef1f6c4739b31625c335504c20c8d4b4095e02963c378a0bad10018264a35eceeb88553bc679676ef1e8fc5

    • SSDEEP

      24576:n2z0iTPmcOFrydXT0i9JYMsMy9XD6QmFQBLqs:n2AhFrydXT0EoHmWqs

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5

    • Size

      694KB

    • MD5

      c8032b42738527a70de1dadc4a7bff5b

    • SHA1

      f5f778df15d4e14503bea0f654cf9427ba050a38

    • SHA256

      236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5

    • SHA512

      babddfaac51c11952a79047852b01c499075acfe24e91dac46a5c590a31be1e4e71df5b1daf27254d9d608fa7345839790f8a550e04392de7f625c5d6b22a97d

    • SSDEEP

      12288:OO0Jg3ZJ7hWFArUqHsjumNFcF9gopM3bcgsqV5P3JkTC:OJJU7hWFuHyumzcCLUqV5v0

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Target

      2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a

    • Size

      333KB

    • MD5

      70b649dc98496fdd95d3c31dd28c8a96

    • SHA1

      8ac9a901047426fcaec73a4fa061b85ab28a378a

    • SHA256

      2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a

    • SHA512

      5a3c19ceee7df6d988bb3ad15c6242820629da8c941f69773f30fc7491a63629f6b1cfc603b2167b04ddbb85d304c1938b3f0d6f1af89af468a6ab5fb0ad873a

    • SSDEEP

      6144:R1RwZfFQDiioMvzATd5W0jbSXRYyghzqjjjjjjjfMNV4iJBcp+0Xp:R/zDiioMvzA+iyg9qjjjjjjjf+V4iJB+

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244

    • Size

      976KB

    • MD5

      be9ab75d36757186f2dd7ff0409992fc

    • SHA1

      aebd4f46a7c6c2c434799c24b53518a69c1e746a

    • SHA256

      2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244

    • SHA512

      55fd789402126f83046de4c0177e86c08cdd93f49e63d46c0bbf65d649f6e3ea76c25143823cfb527f81b531128ed3c8f30922d866f3ceef45db3e16acb414f3

    • SSDEEP

      24576:1vnuUYmYIXcWzGAcq/ztggbB1A+xI9rz:0mYIXcWzGAcq/zE+29X

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c

    • Size

      307KB

    • MD5

      c707329775778d23ea0f4097ce097a59

    • SHA1

      009a8997852eea8bf1449167afae6c7842714a19

    • SHA256

      399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c

    • SHA512

      9a4bd7e678a323297ad3c88fd15d1c7fae422e6f813816deb0261953906049b37251d94f1891c7b2c75133450950a9cde135136c886cb1befb010c7f36ab2f7d

    • SSDEEP

      6144:KUy+bnr+ip0yN90QEcx5QofdhZQ1Gr6VLNGiWH+2ZYXBAT:UMr6y90I5QmXO11TWHSXc

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c

    • Size

      332KB

    • MD5

      cc374f6af71bc0a4356047a5632665f7

    • SHA1

      0aad0c3600a0b007bef4847c257ccaeef1ef0955

    • SHA256

      3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c

    • SHA512

      94b400ae0de8b33f8804e7be2c2c304e26f6b28b523398966160078f97bf996cb3f3ed2539085c2460eca9589134c2d0399c0f8152af9c7b09549600020f9761

    • SSDEEP

      6144:S3zwDH1EpC8wM4ydBrEBniBBu0RSyghWvX/ZDsOJ5G+/GVy4+0Xp:SjZpGM4ydBm/ygQZDsOfGjVyV0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b

    • Size

      306KB

    • MD5

      d41a5cd7a3a7870992cfd75c5eff1637

    • SHA1

      8365910e5f8fff802cd8d928351270432128abaa

    • SHA256

      4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b

    • SHA512

      893c73fe37c917bf3c8557c1344e03daef3d1264a0296847fbd5e667e0070b6c920a58f709ec96bb2c1afd22a485d366479f57911eb5073e4c77e6f43243604e

    • SSDEEP

      6144:vBZd9vSWh60RVAtljy11yiI8iz2jaYO9eGoW/JyL985:JZiWhHE4i6qfRyL985

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      65a31de21fb11e9ed0db8f58105c54bbfc7953f539d85a946293e38e9065bbf0

    • Size

      307KB

    • MD5

      cd8ea3b63e20a3f928c87c1b8d03fbdf

    • SHA1

      3c2a074d94cfa7bd8506eac6662496c5c825c86a

    • SHA256

      65a31de21fb11e9ed0db8f58105c54bbfc7953f539d85a946293e38e9065bbf0

    • SHA512

      4aad5f7b258602ec851f5a9cb1177187ed4c3a9cb661a067aef17ebc442f768478f9b83ea1da709817bcca2857afdd52a8ab6b49fe56262a7318b920b007931d

    • SSDEEP

      6144:K5y+bnr+8p0yN90QEIoHmzPipcmKTbP5NuW5IEj0F1PTnV:XMrMy909HePHRT9NRIDx

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      790345d8c07ae982c606f2db111e6ff6a2bae42847c106a6f096f208f1653d0a

    • Size

      1.1MB

    • MD5

      c753cb8ff44d0a7c82c7ea5bccac55b4

    • SHA1

      bf39a9a1c512affc8c88d99b1bb41c0be91d2214

    • SHA256

      790345d8c07ae982c606f2db111e6ff6a2bae42847c106a6f096f208f1653d0a

    • SHA512

      60c861ab900217234c317f31a7a60e893a7290e2d220acf83f0a1d1395af39ad08916d083035c2c0d0474f75dcb8ad32e0ace390eaf1834ef097961c78e32d23

    • SSDEEP

      24576:xvHCA1uHM1oyR5FvYpIgPFyqUakXu0d0H4F+hy:luHM1oyR5FvYb+/0YF8y

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      7a5164cea09551d97475639ab8fb782d5fff907df5db0ff94ae2cb2a3b40dcf7

    • Size

      511KB

    • MD5

      c3db92ad91d83ae759f9b62d1dc60690

    • SHA1

      cba0187e53f0418353650dd711b8f29c59ee3740

    • SHA256

      7a5164cea09551d97475639ab8fb782d5fff907df5db0ff94ae2cb2a3b40dcf7

    • SHA512

      fc4034f2ebfde839e0ded47af5da25feef5013a181801e51080ed2f99ae3634dc0dd1924829db258421bc5805e8bcf4141030aa1ad17fe7472c688ad63f10a76

    • SSDEEP

      12288:G/w6V3Dq1uUpoLIIt0gSmmufejAdo1jQBAeZXoCe9:J6VzqHpafSmPGjMo1EB0R9

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of SetThreadContext

    • Target

      9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743

    • Size

      527KB

    • MD5

      cda96eb769b520de195cae37c842c8f3

    • SHA1

      a1c8d0bbee8c109fabf1cf26ac3e9af0fc110341

    • SHA256

      9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743

    • SHA512

      11fe27e375077ad59f0adee3de6ccc32783244d68911b82d76e5a49001dcd3f1e0311abcb1f7e6f51a11dc057cd17b32ae4af36cd25d227ce8f0710ca5cc2e44

    • SSDEEP

      12288:6piut3k/AJLoyg8UwaEHQ9Ec131pHBF3tZ60juFF0Xp:6pi1/A8zEw9Ek31dD3P60V

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78

    • Size

      876KB

    • MD5

      c4f94db419675a2bd6a16b83fe8c381a

    • SHA1

      9df4ba3bf6ec393244a8c765e463e597bb64b217

    • SHA256

      a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78

    • SHA512

      564e7abd509ee71988cd0550846eb241fddd44fb7557a4c76c520a14d1f88f9b2464083f86fe3d8cb6660e2526536e4ea37800d1d957d7ea3a191425eab35855

    • SSDEEP

      24576:yyrZFRyjL8oVVYRBh7I21NQxRXsNeo6BP:Z/MjInz1SxR+e

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c0c8fc8c3baf26ce045fa13a8b1bf6d6051171f13321183317fc587bd5217e49

    • Size

      976KB

    • MD5

      6d001bfef69bd5ba214890560410dfb3

    • SHA1

      61ecf49a6d2e3aee64704e53386f8bf2587d2b01

    • SHA256

      c0c8fc8c3baf26ce045fa13a8b1bf6d6051171f13321183317fc587bd5217e49

    • SHA512

      2e83fd72e0c2f3cae79066f135c88f70af09375761c73b00c617b2ef10b9011609ed4732fd068818995cc14d0bdbd2c323dea968631b06558141a1a048729486

    • SSDEEP

      12288:LDSmk3QSIvpbmlbqYfMG7k+ezHvyOWUtggrafGeZleuzYrA5nOkNFR65a:eXIvpbmUYfMG7M/LtggrypVlR

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa

    • Size

      297KB

    • MD5

      c2f5800951ca0e25d1c9c4a304584dc5

    • SHA1

      ce90444d162d1a9309374f052bac3bd8b12e3884

    • SHA256

      c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa

    • SHA512

      6280df39b12c1069e4c54173674ffb00494eda397ff212a5ee21679d5fb3f696b1dec2ccb6ddbc6519b6728df361786934c15646517dc2806993260f25837d2a

    • SSDEEP

      6144:sk87zE8yF+JnF/1VVsNx0X4j2UwnGp6m7Bzg5+671wW4WvCoCe:187zE5iwNo4cGBK+cwWMoCe

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      d3855d0640853387bc0df63e4ddcbc8af40e8cbb259b6be8049d23526e31dd68

    • Size

      1.2MB

    • MD5

      6c68a256a5ce9897ebe5bb882738ded6

    • SHA1

      330c5800275066e14ccd07c1131eae7a1349a441

    • SHA256

      d3855d0640853387bc0df63e4ddcbc8af40e8cbb259b6be8049d23526e31dd68

    • SHA512

      1665a85da3c6394127f8f60b200cb4e6e15a388e3a6e10b0897b90729c4473c90920f2e4f07f38b6ae75d7ae059d3fda6e84db45f9dd86bb8e35f258ec635897

    • SSDEEP

      24576:7qcTlAulwiqGeOeerZnwgbwc15305b02iwyu:kulwiqGeOprZocwB

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693

    • Size

      332KB

    • MD5

      ce35bf4ea4182f8e3524a14e10e90972

    • SHA1

      c9a5c28fdbff5ad0a285291142abe592fe9e8688

    • SHA256

      d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693

    • SHA512

      fd454377a77f900510b2855e6e9954cc7648277404cdd85b8e85b1f2d8e0667e9aea261c660b8d88551d1cdd816bc77d8719edac10b63067aa75f1fc7ee38341

    • SSDEEP

      6144:U1Bwp/lwz9PI8/T6f5mUz7S3RMyghFbHDju9DPUgAOGsf+0Xp:UPjz9PI8/Tzeygzbjju9YgAd0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

redlinedimasinfostealerpersistence
Score
10/10

behavioral2

Score
3/10

behavioral3

lummastealer
Score
10/10

behavioral4

Score
3/10

behavioral5

lummastealer
Score
10/10

behavioral6

Score
3/10

behavioral7

lummastealer
Score
10/10

behavioral8

Score
3/10

behavioral9

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral10

Score
3/10

behavioral11

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral12

redlineditroinfostealerpersistence
Score
10/10

behavioral13

Score
3/10

behavioral14

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral15

Score
3/10

behavioral16

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral17

redlinedimasevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

Score
3/10

behavioral19

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral20

Score
3/10

behavioral21

redline@deeqsioinfostealer
Score
10/10

behavioral22

Score
3/10

behavioral23

lummastealer
Score
10/10

behavioral24

redlinedimasevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

Score
3/10

behavioral26

redline7001210066discoveryinfostealerspywarestealer
Score
10/10

behavioral27

Score
3/10

behavioral28

redline7001210066discoveryinfostealer
Score
10/10

behavioral29

Score
3/10

behavioral30

lummastealer
Score
10/10

behavioral31

Score
3/10

behavioral32

redline7001210066discoveryinfostealer
Score
10/10