General

  • Target

    sample

  • Size

    449KB

  • Sample

    241016-x9kavssarm

  • MD5

    f4662a16e4566ae667ef4833fbb225f8

  • SHA1

    1680bbd0f8a13ceffcbeca440130c07a873f7e7d

  • SHA256

    2550ae9fe196804a832cf87e2c8bb60fd066596c9a5a4fcfc211a21090a603f1

  • SHA512

    065f9d9253ba28df950d0111a1c420a8ace0850062a9859ba767b1c5374296e3091bd7604a86e1b3abfd5994b94ca4643e48f97fd55840930d4494ca48e35a40

  • SSDEEP

    3072:bQNPt7/6rjEcYLLSpI4sCJE8V+caQ0eiSX3R6kAdoS7+XZ1uaA/mj:bUPSpI23R6kAd2XZTAq

Malware Config

Targets

    • Target

      sample

    • Size

      449KB

    • MD5

      f4662a16e4566ae667ef4833fbb225f8

    • SHA1

      1680bbd0f8a13ceffcbeca440130c07a873f7e7d

    • SHA256

      2550ae9fe196804a832cf87e2c8bb60fd066596c9a5a4fcfc211a21090a603f1

    • SHA512

      065f9d9253ba28df950d0111a1c420a8ace0850062a9859ba767b1c5374296e3091bd7604a86e1b3abfd5994b94ca4643e48f97fd55840930d4494ca48e35a40

    • SSDEEP

      3072:bQNPt7/6rjEcYLLSpI4sCJE8V+caQ0eiSX3R6kAdoS7+XZ1uaA/mj:bUPSpI23R6kAd2XZTAq

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Event Triggered Execution: Image File Execution Options Injection

    • Sets service image path in registry

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks