Overview

overview

10

Static

static

3

5a227bf354...18.exe

windows7-x64

10

5a227bf354...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618.exe

  • Size

    920KB

  • Sample

    241004-bwj72s1cmb

  • MD5

    142a2665fecb3dba09c1e4aa85b8c0d7

  • SHA1

    d7e8bc456caa0f7e6e9af5229e86b409253d5c06

  • SHA256

    5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618

  • SHA512

    0d99edc929b6864b3c1c7c0f37586bc91e53e5676ae6fd9fd5bd2f303296e0781f771e495fc9363e575d5f79f0d0b4be194a0c1d02844a70778c57d3ee65775d

  • SSDEEP

    24576:FvUxOo74WAZ6QsoZIFhWZHNd8JE9wvUyX6:foUWAMToZCsHNdGYk+

Score
10/10
redlinestrratl0gzdiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

L0GZ

C2

93.185.156.125:1912

Extracted

Family

strrat

C2

93.185.156.124:1912

127.0.0.1:1912
Attributes
  • license_id

    khonsari

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Targets

    • Target

      5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618.exe

    • Size

      920KB

    • MD5

      142a2665fecb3dba09c1e4aa85b8c0d7

    • SHA1

      d7e8bc456caa0f7e6e9af5229e86b409253d5c06

    • SHA256

      5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618

    • SHA512

      0d99edc929b6864b3c1c7c0f37586bc91e53e5676ae6fd9fd5bd2f303296e0781f771e495fc9363e575d5f79f0d0b4be194a0c1d02844a70778c57d3ee65775d

    • SSDEEP

      24576:FvUxOo74WAZ6QsoZIFhWZHNd8JE9wvUyX6:foUWAMToZCsHNdGYk+

    Score
    10/10
    redlinestrratl0gzdiscoveryinfostealerspywarestealertrojanpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

      trojanstealerstrrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks