General

  • Target

    QQ bypass.rar

  • Size

    2.0MB

  • Sample

    240708-mnes5svdml

  • MD5

    84f8fe2f72d94e391517635f268c8c48

  • SHA1

    e27d4433baf22b629f627d93f72d19849d8c2274

  • SHA256

    21a05abfea96761494af4e62be2f6dd68b6a7abb36f8fb679799a4d654194873

  • SHA512

    60c9f378e5ca931b826f4eef3bca15b021459cfebd97aa6be3ae7608c34bd2ebcf9249435064a239ef7c58500f77617b1b892ad36dcc287da7a8166e7081331f

  • SSDEEP

    49152:gZtsSc2SPxtiMhN0G6Y/9Vr9FFBSFjFZBHHimZgIh0rk+9X8:i+B2S5suN0TYJzBSFj5HCmZgp9X8

Malware Config

Extracted

Family

redline

Botnet

Sabad0n

C2

77.73.129.75:1912

Targets

    • Target

      QQ bypass/QQ bypass.exe

    • Size

      3.6MB

    • MD5

      7d4449cae104d4dc966bc74df0b2ba2e

    • SHA1

      6e3076c9cf82a04ef39523aab3b1cb1e6103f9a9

    • SHA256

      7bd293ae422b09cc8e4052f5cd74a9295f04566eeb756c576507ce8716f4c5d8

    • SHA512

      46f8a2842ac0501717b7d5da92713211c09723672a3c8d354e4fd9616fec38c3440c9075413560ead85be16c3c8a4ccb81efc188ddf2069fbb3a3c0a56fc240f

    • SSDEEP

      49152:cBVtv6o+8O3KHnGNzcDodTX9j/ohWkkjYIBkzY:WPioqh9jyWkkjPX

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks