General

  • Target

    d1d0254c9e54e1eb7caf3e11c972f6d7c72ba6a6e4cc241ebfd50a32e397ba21

  • Size

    552KB

  • Sample

    240526-dtv8msda3w

  • MD5

    358d9d4feb7f9c4dda28d7b5cf376210

  • SHA1

    9f708b20eafa2bb586ec1d9649991d8d102b2050

  • SHA256

    d1d0254c9e54e1eb7caf3e11c972f6d7c72ba6a6e4cc241ebfd50a32e397ba21

  • SHA512

    e0b4bb1657dfd2fb1468a32f8076f6ebd3ff908971ef24c863962ce2a41a9628b9ef710281bdf95c5a25627e74d60bbf5710e5c56a4cc709e2f37e2d21fe71cf

  • SSDEEP

    12288:0siy9060MJeFehSyXniCAmOa2j2IZVVYyZhBzl3s:SyEPehSLUJeVVYyrs

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Targets

    • Target

      d1d0254c9e54e1eb7caf3e11c972f6d7c72ba6a6e4cc241ebfd50a32e397ba21

    • Size

      552KB

    • MD5

      358d9d4feb7f9c4dda28d7b5cf376210

    • SHA1

      9f708b20eafa2bb586ec1d9649991d8d102b2050

    • SHA256

      d1d0254c9e54e1eb7caf3e11c972f6d7c72ba6a6e4cc241ebfd50a32e397ba21

    • SHA512

      e0b4bb1657dfd2fb1468a32f8076f6ebd3ff908971ef24c863962ce2a41a9628b9ef710281bdf95c5a25627e74d60bbf5710e5c56a4cc709e2f37e2d21fe71cf

    • SSDEEP

      12288:0siy9060MJeFehSyXniCAmOa2j2IZVVYyZhBzl3s:SyEPehSLUJeVVYyrs

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Tasks