Overview

overview

10

Static

static

3

RedEngine/...ne.exe

windows7-x64

10

RedEngine/...ne.exe

windows10-2004-x64

10

RedEngine/libEGL.dll

windows7-x64

1

RedEngine/libEGL.dll

windows10-2004-x64

1

RedEngine/...v2.dll

windows7-x64

1

RedEngine/...v2.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b284ac0acaa2258723002e65cb90bd3c13ab554c483a41907ce973602dbab072.7z

  • Size

    2.1MB

  • Sample

    240905-pgqcea1fkd

  • MD5

    fc2f2cdf463747509573ff427b02c48a

  • SHA1

    f024fb301d59bddb14ad05ed12d0e515e67d0fe8

  • SHA256

    b284ac0acaa2258723002e65cb90bd3c13ab554c483a41907ce973602dbab072

  • SHA512

    a708e6f7842798b96dbab74324388a1e26048eba685481b7262cb9b237584fd6c31b7beb392403b7cf20d752732c951f15c56cd0a62df994709baf9d0dcf6b27

  • SSDEEP

    49152:ans+cQuFwdqot9uxVUk6yCpEc1/4AzF1vAwiybYzw:anRruFwdqom8LycBvArsYE

Score
10/10
redlinecredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistencepyinstallerspywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/pancek61111111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar

Targets

    • Target

      RedEngine/RedEngine.exe

    • Size

      8KB

    • MD5

      4fbb04c9e3aa983cbfc4980a7b5b7041

    • SHA1

      34aeca658462e638521bc384a4935251678a9a78

    • SHA256

      24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731

    • SHA512

      615534039ad97fea8c881656a53b6b0ead41e3770e0a3f3cd38052585dc5a102ab25b824c59c3142b75f6b62e56ff46ab981e27c889ded28a5cc2884581863bc

    • SSDEEP

      192:Gh9Lz2jG4pFMYqLDQ1bhxZzzzhGjcJr9emxan6+UqawcTnYPvkVNxdpD:Gh9Liy4kLDQHtGjcJrQmxan6+/xcTnYg

    Score
    10/10
    defense_evasionredlinecredential_accessdiscoveryexecutioninfostealerpersistencepyinstallerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

    • Target

      RedEngine/libEGL.dll

    • Size

      469KB

    • MD5

      2a568dc1f848b2948dfd90c8ebeb58c6

    • SHA1

      e765ca8946ce091651c6722c650d9ad5edfeb5d5

    • SHA256

      c00285c0174024739997898e98444deb4cbfe6b571cca69ca3bf8e5ab3ea5bbe

    • SHA512

      a6ce4ead89933d32ea24766f887655ee5894ef1813faf97ebb2191a775488ba2fd77bcb4aedefc273ef85f5a93a9a5dd3d35b213a52d95b0cc4111708d9fcee5

    • SSDEEP

      3072:4kgdNXYPuSHGjFXVYbAQSIoU8w1Z5iErbFdWE7D6i/wZJothADZX+Lcq7gv+xt4f:47Vl/HxUniSbFdH1/wXFufMG9x2qPz

    Score
    1/10
    behavioral3behavioral4

    • Target

      RedEngine/libGLESv2.dll

    • Size

      7.2MB

    • MD5

      5afc7b4ae2a76fa9a2b740734ef9f9f7

    • SHA1

      fb7d539a77883ee2ad2036c0243ef9acb49132ab

    • SHA256

      9168eac79d66301f49c8b2d501e8ea79b52f6b3f8b4e6aac06348fe24bf845d6

    • SHA512

      132ed0e481192f31e5aedde4f4386beac099c8ce86778b097b98cbd7ada6e7fcf15cda271b0ec07bab4edbb9429937ea9aae139d6ba7b74a4f4238471d8ea773

    • SSDEEP

      98304:vD+WTl1xDfbWziTwMPdkUqqXyXm3C/0+:vDTnxezkPqqiCC/

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks