General

  • Target

    0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe

  • Size

    312KB

  • Sample

    240910-bdke4a1cph

  • MD5

    db1fbaf680dc245b486db86fa852f655

  • SHA1

    355caa80363bc44607efcce4c64d3752a0edf286

  • SHA256

    0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32

  • SHA512

    ec923d035cd6d608315c7a7dbd3ffd66afea22dace6f0854e7e97346ca758f6344c32a6a7336e9fd1506207bdee1e408f4a328b7671c7d9248a64e8a56c2e840

  • SSDEEP

    6144:ebVv6RXCrNabG9wcT7XVwBIQv6B2M4m2FxHrkRQyczK+VcpKTCcTj:ebGXCNXX1wus6B2Mo1mKcFcT

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

45.91.202.63:25415

Targets

    • Target

      0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe

    • Size

      312KB

    • MD5

      db1fbaf680dc245b486db86fa852f655

    • SHA1

      355caa80363bc44607efcce4c64d3752a0edf286

    • SHA256

      0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32

    • SHA512

      ec923d035cd6d608315c7a7dbd3ffd66afea22dace6f0854e7e97346ca758f6344c32a6a7336e9fd1506207bdee1e408f4a328b7671c7d9248a64e8a56c2e840

    • SSDEEP

      6144:ebVv6RXCrNabG9wcT7XVwBIQv6B2M4m2FxHrkRQyczK+VcpKTCcTj:ebGXCNXX1wus6B2Mo1mKcFcT

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks