General

  • Target

    https://www.mediafire.com/file/t3pcht5x49s0iqk/Software_1.30.1.rar/file

  • Sample

    240522-zllj5agb72

Malware Config

Extracted

Family

redline

Botnet

@fgkyleoff

C2

147.45.47.93:80

Targets

    • Target

      https://www.mediafire.com/file/t3pcht5x49s0iqk/Software_1.30.1.rar/file

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

5
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks