General

  • Target

    githelper.exe

  • Size

    514KB

  • Sample

    240706-cx2n6awbkf

  • MD5

    8de738f01c7181c6699559939ea34c9c

  • SHA1

    cdbb0cd283415c7a07186ef7a20446e7cf0b5383

  • SHA256

    9bf8f6a0aed32a63ed3360af9a0b6c58f3a22dc91f5abc643cbc065e369fe57a

  • SHA512

    c1fe0b1eac001dd9bd8a4dcba7b19aeed197071fd8642f7043dd68f8c515ab2e87cd367132412d4dd2ad4ae446c961c76bdf7f6974f7eed7e7061e90243e1cab

  • SSDEEP

    12288:j/gmsvkhLzmQ+xNVsMCRQq+zjfNC05oObdEZtUBpi:/sv2f+jV/1NRxH

Malware Config

Extracted

Family

redline

Botnet

@xcdaxfszx

C2

94.228.166.68:80

Targets

    • Target

      githelper.exe

    • Size

      514KB

    • MD5

      8de738f01c7181c6699559939ea34c9c

    • SHA1

      cdbb0cd283415c7a07186ef7a20446e7cf0b5383

    • SHA256

      9bf8f6a0aed32a63ed3360af9a0b6c58f3a22dc91f5abc643cbc065e369fe57a

    • SHA512

      c1fe0b1eac001dd9bd8a4dcba7b19aeed197071fd8642f7043dd68f8c515ab2e87cd367132412d4dd2ad4ae446c961c76bdf7f6974f7eed7e7061e90243e1cab

    • SSDEEP

      12288:j/gmsvkhLzmQ+xNVsMCRQq+zjfNC05oObdEZtUBpi:/sv2f+jV/1NRxH

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks