General

  • Target

    254033f5f7a0dfb2233069e25b3a482b19a009a5dacc7724e557f7de87e39373

  • Size

    2.2MB

  • Sample

    240527-ypn9rahc77

  • MD5

    c0b96308a2290e7e57b4e3a49d811786

  • SHA1

    0ce83884b2ee1f7598f44e5c6cf6177b7050e47f

  • SHA256

    254033f5f7a0dfb2233069e25b3a482b19a009a5dacc7724e557f7de87e39373

  • SHA512

    20fe91b655092e3f7568ceeb78c94abaaaa912902213ec1fa5cf81f867e69f3a5af182946efdd6a63bc6f937c36cbe1a7150581605c8ba8029c9cdd6cf59fe86

  • SSDEEP

    24576:rPUcthsNP/d3qI4N+Nl49LPSncvK51CvO8ofTWIGq+0Yagngd7gggggggMggggXJ:+NP/d6IxNIKnL5mO8ofTrrN86HrLL9

Malware Config

Extracted

Family

redline

Botnet

1

C2

149.28.222.15:44506

Targets

    • Target

      254033f5f7a0dfb2233069e25b3a482b19a009a5dacc7724e557f7de87e39373

    • Size

      2.2MB

    • MD5

      c0b96308a2290e7e57b4e3a49d811786

    • SHA1

      0ce83884b2ee1f7598f44e5c6cf6177b7050e47f

    • SHA256

      254033f5f7a0dfb2233069e25b3a482b19a009a5dacc7724e557f7de87e39373

    • SHA512

      20fe91b655092e3f7568ceeb78c94abaaaa912902213ec1fa5cf81f867e69f3a5af182946efdd6a63bc6f937c36cbe1a7150581605c8ba8029c9cdd6cf59fe86

    • SSDEEP

      24576:rPUcthsNP/d3qI4N+Nl49LPSncvK51CvO8ofTWIGq+0Yagngd7gggggggMggggXJ:+NP/d6IxNIKnL5mO8ofTrrN86HrLL9

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Tasks