General

  • Target

    6415156ccb8d18f7b96d7e925cd095c346d9432e8654552a093dbbee14746715

  • Size

    442KB

  • Sample

    240705-199gjaxemk

  • MD5

    2f4ca641d2f18ec969232e07d932c9f2

  • SHA1

    6e43e55dd70a2297aa77e6eb077649802cd15461

  • SHA256

    6415156ccb8d18f7b96d7e925cd095c346d9432e8654552a093dbbee14746715

  • SHA512

    9e2696a76e6e5cc1b71728d50f259f7d40b18a080d3c1590b84cc69d2c7160fb03198efd7a43ab22333876886583944480531458c9ee7bb508ff134d1c793570

  • SSDEEP

    6144:4AkIrSr29/ChgIT71JmblFx6pZkz8yILQB1X7h6grM:/r793WJmb56p0ILQB1X7w

Malware Config

Extracted

Family

redline

Botnet

@MarsSellers12

C2

94.228.166.68:80

Targets

    • Target

      6415156ccb8d18f7b96d7e925cd095c346d9432e8654552a093dbbee14746715

    • Size

      442KB

    • MD5

      2f4ca641d2f18ec969232e07d932c9f2

    • SHA1

      6e43e55dd70a2297aa77e6eb077649802cd15461

    • SHA256

      6415156ccb8d18f7b96d7e925cd095c346d9432e8654552a093dbbee14746715

    • SHA512

      9e2696a76e6e5cc1b71728d50f259f7d40b18a080d3c1590b84cc69d2c7160fb03198efd7a43ab22333876886583944480531458c9ee7bb508ff134d1c793570

    • SSDEEP

      6144:4AkIrSr29/ChgIT71JmblFx6pZkz8yILQB1X7h6grM:/r793WJmb56p0ILQB1X7w

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks