General

  • Target

    S500.exe

  • Size

    8KB

  • Sample

    240706-f31ktszaja

  • MD5

    4fbb04c9e3aa983cbfc4980a7b5b7041

  • SHA1

    34aeca658462e638521bc384a4935251678a9a78

  • SHA256

    24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731

  • SHA512

    615534039ad97fea8c881656a53b6b0ead41e3770e0a3f3cd38052585dc5a102ab25b824c59c3142b75f6b62e56ff46ab981e27c889ded28a5cc2884581863bc

  • SSDEEP

    192:Gh9Lz2jG4pFMYqLDQ1bhxZzzzhGjcJr9emxan6+UqawcTnYPvkVNxdpD:Gh9Liy4kLDQHtGjcJrQmxan6+/xcTnYg

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/pancek61111111111111/raw

Targets

    • Target

      S500.exe

    • Size

      8KB

    • MD5

      4fbb04c9e3aa983cbfc4980a7b5b7041

    • SHA1

      34aeca658462e638521bc384a4935251678a9a78

    • SHA256

      24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731

    • SHA512

      615534039ad97fea8c881656a53b6b0ead41e3770e0a3f3cd38052585dc5a102ab25b824c59c3142b75f6b62e56ff46ab981e27c889ded28a5cc2884581863bc

    • SSDEEP

      192:Gh9Lz2jG4pFMYqLDQ1bhxZzzzhGjcJr9emxan6+UqawcTnYPvkVNxdpD:Gh9Liy4kLDQHtGjcJrQmxan6+/xcTnYg

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks