General

  • Target

    Software 1.30.1.rar

  • Size

    11.1MB

  • Sample

    240519-xym8dade7y

  • MD5

    67a7b1cf572eab187e8736faee1806ae

  • SHA1

    ee552c72e68712c59a06e9de310b900cc0814434

  • SHA256

    4bd9eaf7e8142a48c12dd25ffdd3767f2b268891934c45d47c976693f4903f22

  • SHA512

    1d74b7b1d0679e07a93b366c457efa2fee7c2e6208e2cd4e30910c0904951265a11980320f7aab30c67d1c8323b262c0c235870cf944e8bc27cc6b895cf15bca

  • SSDEEP

    196608:WkL2CRKtDBZaDTrBjz265YZO9RmgnSeA9ksq75N3VXFIKiEtuLsCA:XKdBSjy65NJ3A9kx5bX1JtAs9

Malware Config

Extracted

Family

redline

Botnet

@fgkyleoff

C2

147.45.47.93:80

Targets

    • Target

      Debug/Addition.dll

    • Size

      30KB

    • MD5

      f22e849a370cdf127f48beab596bdd81

    • SHA1

      fb1da47c7a246f2cda7f7686a468efafd9933b1e

    • SHA256

      8be1f5581437b6f5ba48705e8956c8bc0765bbd1d6053242640c75bd94048aa9

    • SHA512

      6ded81fe4d4db69586d74fdb425c4fc8c092508e7e0b49eb141a9045abf40626d14659fa6237a3920e58571ca7acf4911cdf03c4307fd89b6dc5e54172afbc14

    • SSDEEP

      768:Fol18SuOO3bBAughXjNPQsXVjWuu7jqWdTS2gS:er6tAugVjN4sXJYjqWdm2V

    Score
    1/10
    • Target

      Debug/Cracker.dll

    • Size

      56KB

    • MD5

      404aacc737a9d30147d30cee6be0abba

    • SHA1

      5f49b9197d73b53eb3473c80a6f25dc068421baf

    • SHA256

      3eec59d6aa2a45e368b99d09bcedf228290656a88de8a09ccc91867ab71f228c

    • SHA512

      eb3716304571727d3134da4da46c5c91276afa20f5da26f2b89cc0cdc19f98592322b5e85fdc6a36e51636298ffac456a9057ed7d10c17e4955c4307cb933f20

    • SSDEEP

      384:poaSsZTSyPG0TLMU9mCzkcu/b49Pji7iJI5TZCP56vS1a+dYUFv8WTa:W1yR8U9mCzkcu/8V2iP56v/+G0a

    Score
    1/10
    • Target

      Debug/Helper.dll

    • Size

      189B

    • MD5

      9bb9aba5dd893bbccfa45e2d75d55d26

    • SHA1

      5714796513341ac3159a6a3c23d4769209063d35

    • SHA256

      6b325cadd8992d998c4fbc8ed56079c2850b68ea2d38432d51c26ce82b0a5419

    • SHA512

      f57df9a4a02bd17772acb3ac1a0d961c53f6940600b58834ae38c198a98ae651a21b382450b267aeffbca4ab262668ae471a78ed99bf9dfa414c1316056a289b

    Score
    1/10
    • Target

      Debug/Resource.dll

    • Size

      10.7MB

    • MD5

      641dadbb3f03938da99bf7c6c4cc482f

    • SHA1

      b21bdb69a17642ade8e62fcbd779ff1bc89ea809

    • SHA256

      883aefb081a1f9ef974ceb16e12c215e92fee13531c052279404bd11b2f8e479

    • SHA512

      7aea5f0db9b261a17801124d6eef0df2d3ada4a6f624c8f4f2ee519a61171a3f06de9032493e3309a1a982fd1218613dde73a942942df2a8ec367e7f66a531f5

    • SSDEEP

      196608:8B4DNtjVoWhIdAXplnpnh4uIKZ2K245peMKU3lRM9RVIO+QvSNG2uM+XGE4:04vWGIun1GKZ/2aZKU3lRvO+QvQgGP

    Score
    1/10
    • Target

      Packaged/Resource.dll

    • Size

      189B

    • MD5

      4427aeee68321d0f4d7befa74e669f83

    • SHA1

      4670003762a1c217c9e8ea48fcc53f2871a7c341

    • SHA256

      a9661f89b8d957f4e71cbe1ba0342a39e5b50a1d80d974e2e1b349a273967f1b

    • SHA512

      9d9156aa8fdebf19363fed2edb82235642c8c20549369470e44fdc0db41324e2160968fd7dd43eecce1ce3da9c03dd05cdefc8d903a9d0394f5ca9a73f5c5fa3

    Score
    1/10
    • Target

      Software 1.30.1.exe

    • Size

      526KB

    • MD5

      515d9f734385c3f6ca17ed5c071aa84f

    • SHA1

      b59e95a24eefc4e5e37f77c4d0e0a8069eb730b1

    • SHA256

      a0e3633a64314cb4be32525263e8bdd759dee77dc01c578f4b90d563aef6b2fc

    • SHA512

      07064cf134c96fb572bd06031fa6bb76a4de67229c4021e02b41073285fa3b8aa2f5ab5ed87a060341b7c42c439dda593822b2fa4f99e2d34e4f3a1cbb2078ef

    • SSDEEP

      12288:1fMjGqNc08bB8TTi0a79BJBS80yjXNDeZy+Ju/fq8:IGSe6a79/BSreNqlsC

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks