General

  • Target

    a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4

  • Size

    788KB

  • Sample

    241104-zrlgbaxfll

  • MD5

    89fc0e8fd47a6d12c2bbc8e17f427f96

  • SHA1

    431fa52910d84c9356dfe0c0be902eb51cd4f05d

  • SHA256

    a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4

  • SHA512

    d6b6c36c153c4f5f5e14d868acf5f2aeeea729b954593714f5572634a2c42dd4335f3bbfd91b3f80b7dc577c96306b3cf07bf472b283636e65b895269d86b6ac

  • SSDEEP

    12288:DLnFudzjfk3x6MiGE/f6ILTndVAGAokfprIKYa38+2oWzqWGCWd:DLFuFDuxsFbdVAdfpaasz9G7

Malware Config

Extracted

Family

redline

Botnet

JanKy1602

C2

144.76.173.68:16125

Attributes
  • auth_value

    d120bf8ad3b470a7cb11934d38348aff

Targets

    • Target

      a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4

    • Size

      788KB

    • MD5

      89fc0e8fd47a6d12c2bbc8e17f427f96

    • SHA1

      431fa52910d84c9356dfe0c0be902eb51cd4f05d

    • SHA256

      a561e3339dac681116339cca03145625d96b6ada4f4be4d742785900d40daee4

    • SHA512

      d6b6c36c153c4f5f5e14d868acf5f2aeeea729b954593714f5572634a2c42dd4335f3bbfd91b3f80b7dc577c96306b3cf07bf472b283636e65b895269d86b6ac

    • SSDEEP

      12288:DLnFudzjfk3x6MiGE/f6ILTndVAGAokfprIKYa38+2oWzqWGCWd:DLFuFDuxsFbdVAdfpaasz9G7

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • UAC bypass

    • Windows security bypass

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks