General

  • Target

    file.exe

  • Size

    314KB

  • Sample

    240917-zyvzbsvfkm

  • MD5

    ff5afed0a8b802d74af1c1422c720446

  • SHA1

    7135acfa641a873cb0c4c37afc49266bfeec91d8

  • SHA256

    17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

  • SHA512

    11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

  • SSDEEP

    6144:/6ZNaeEuexVOkKu/A9UZMOqMVr57KLMLPQ5uRXg6hUm8:/BvOkHPEUsYLeIXgDm8

Malware Config

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Targets

    • Target

      file.exe

    • Size

      314KB

    • MD5

      ff5afed0a8b802d74af1c1422c720446

    • SHA1

      7135acfa641a873cb0c4c37afc49266bfeec91d8

    • SHA256

      17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

    • SHA512

      11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

    • SSDEEP

      6144:/6ZNaeEuexVOkKu/A9UZMOqMVr57KLMLPQ5uRXg6hUm8:/BvOkHPEUsYLeIXgDm8

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks