Overview

overview

10

Static

static

1

95fb9ca820...74.exe

windows7-x64

10

95fb9ca820...74.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bbe6311c3e2fab459f729dc8cd6e3519.bin

  • Size

    1.0MB

  • Sample

    240818-b7v4pa1hmp

  • MD5

    98729d41ab82cf19f770806dc7633413

  • SHA1

    ba5fef6618eac073d9cb70c44fdba984fb90c3b2

  • SHA256

    fcd73ad8b8176a091c324c37290f9e89a8753c1cbd7f7d97fdb4ee34c8b89a68

  • SHA512

    196c38feda1871aab7ac828ae5af92a50121b90f1448b03950aa7d86eb7850f45853c603a8369f3f76b9000f652ed727cb4af49cededded191568bfc5fa2a149

  • SSDEEP

    24576:sPh0krZRCSgqx+kJnINYZXMTNWtY+wDq/LUnTHdDc1AlN6x8Guk5KkX:qhzxgqoqbRMxVuzUrdg1AlN6zugX

Score
10/10
redline814facredential_accessdiscoveryexecutioninfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

814FA

C2

88.99.151.68:7200

Targets

    • Target

      95fb9ca82017f2a6bc59df0d72fc6f90043e135799d25e9922d4943da4c36874.exe

    • Size

      1.1MB

    • MD5

      bbe6311c3e2fab459f729dc8cd6e3519

    • SHA1

      b71993aafd6627e55657819826c67f64f764c77f

    • SHA256

      95fb9ca82017f2a6bc59df0d72fc6f90043e135799d25e9922d4943da4c36874

    • SHA512

      33fb4936db966d0f285a48b09700716eadcdc19212c3e234f34dc0e497e55f01f493956aa86de438a3c65ba8e112d6ee1f3cd0ff9aee3cda1f686cc68dc77a47

    • SSDEEP

      24576:HzZyi0Kg1ySDKr8TP/4xDVMRy5MxcTCLA8dUtp+FPlDha1edx/M2:H0iTezbe9jp+FPlEoHR

    Score
    10/10
    redline814facredential_accessdiscoveryexecutioninfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks