General

  • Target

    dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe

  • Size

    5.5MB

  • Sample

    240705-yew7lswhkb

  • MD5

    509c110ee54d73c3398140a5eb78c45a

  • SHA1

    04a2b8402af2053e3818f547a9bb78101a7002c2

  • SHA256

    dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6

  • SHA512

    a908e48935bd8af79db2c28615f8dcb32793312d1fac4a06d22e26739fd05ff89e684e3d2210d4e6203035a7a843e8316bd918b37ff90898cdee93a3fe3ad8fb

  • SSDEEP

    98304:lgLlvKyyLlqwYYHAnoMsOtFjqGvqT2n+LtQnDCdMzEkyziWP6fni5rolwi3lDhMY:lgRvKyykJBPjvqCsUDCEEVP6niel1lDB

Malware Config

Targets

    • Target

      dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe

    • Size

      5.5MB

    • MD5

      509c110ee54d73c3398140a5eb78c45a

    • SHA1

      04a2b8402af2053e3818f547a9bb78101a7002c2

    • SHA256

      dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6

    • SHA512

      a908e48935bd8af79db2c28615f8dcb32793312d1fac4a06d22e26739fd05ff89e684e3d2210d4e6203035a7a843e8316bd918b37ff90898cdee93a3fe3ad8fb

    • SSDEEP

      98304:lgLlvKyyLlqwYYHAnoMsOtFjqGvqT2n+LtQnDCdMzEkyziWP6fni5rolwi3lDhMY:lgRvKyykJBPjvqCsUDCEEVP6niel1lDB

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      ⌚/38.exe

    • Size

      4.7MB

    • MD5

      ca43f43bd60696a071914f7d56dfb170

    • SHA1

      0395c64a4cfc0c5b5e4f0213a2947e8971db0646

    • SHA256

      c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9

    • SHA512

      5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be

    • SSDEEP

      98304:ue5sDcJRr2LDOKwWDxVkZUm9i+lvBJ7fCwrra37elTmHzVczwqYrmhLyK:ue2I7r2LDbxVkZUmDlJFf/aZ7qN

    Score
    1/10
    • Target

      ⌚/41.exe

    • Size

      1.0MB

    • MD5

      d3d07dbbf681e20fb2c58e5a8916a78e

    • SHA1

      1964d2e5081b7a711fd6de9c48beada5adfe0daf

    • SHA256

      4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150

    • SHA512

      42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951

    • SSDEEP

      24576:tXUMntwbcqSFcisZLm1p/2Jgo2YPD0MIh0is:/wUFLH/2ayRIhHs

    Score
    1/10
    • Target

      ⌚/ABC.exe

    • Size

      13KB

    • MD5

      2808310786effc87a4359c778a73a7ee

    • SHA1

      525f278678ad73a34c368f0afc4558ed0454f076

    • SHA256

      33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5

    • SHA512

      02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67

    • SSDEEP

      384:RWaw77Ke8FeO+DK32XzUzxcRx8ptYcFwVc03K:2KFqIUxItYcFwVc6K

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks