General

  • Target

    QuwyWare.exe

  • Size

    117.2MB

  • Sample

    240706-vqn4lawejn

  • MD5

    f893865f6d73742d7c9fb51bf9aac505

  • SHA1

    843f387604d250f509b1a0f5fa912bbf776da746

  • SHA256

    2f87c0abee258364d03ca8fd669dce8dd71f8d30cd568543e9cb90d1f68348fd

  • SHA512

    bc6647bf541a19013ff7016538c81a2bbfeee8b3f5591e70444ae788d27f156917d877ec313fe6c6d190096c5e54a6c06e63c31d4ff3804ff073df03057b0de6

  • SSDEEP

    3145728:nYVWiqDu0LbQHahvuck0jPAXf4aFc+t3xRqeov8SHI0Dp6S:KqDPL86huANs/4nHI0DpF

Malware Config

Extracted

Family

redline

Botnet

Sabad0n

C2

77.73.129.75:1912

Targets

    • Target

      QuwyWare.exe

    • Size

      117.2MB

    • MD5

      f893865f6d73742d7c9fb51bf9aac505

    • SHA1

      843f387604d250f509b1a0f5fa912bbf776da746

    • SHA256

      2f87c0abee258364d03ca8fd669dce8dd71f8d30cd568543e9cb90d1f68348fd

    • SHA512

      bc6647bf541a19013ff7016538c81a2bbfeee8b3f5591e70444ae788d27f156917d877ec313fe6c6d190096c5e54a6c06e63c31d4ff3804ff073df03057b0de6

    • SSDEEP

      3145728:nYVWiqDu0LbQHahvuck0jPAXf4aFc+t3xRqeov8SHI0Dp6S:KqDPL86huANs/4nHI0DpF

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks