General

  • Target

    56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66

  • Size

    660KB

  • Sample

    241105-d985fasrgy

  • MD5

    1f2d4b0f5bd86a0cc8d5a845767ce021

  • SHA1

    9d69920556dcb2c1ebb1ab5b9937fb8367a566b1

  • SHA256

    56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66

  • SHA512

    a334459a5ab58ea05d322f8cb0fe158b7c28275362b8c4b176d59df842555a05fa4f2b6a16bebde9d25e1ac62c3aa8c0a53076d0d42124b0727cbcec96554492

  • SSDEEP

    12288:0MrPy90m7gV/dP9g/mTvxLjzbE2LhwTei8G51T/ybxeYjYb3fwbM9jfa:byd78/dS/avxL1wp8G51T/ybY3b3fT9G

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

dozt

C2

77.91.124.145:4125

Attributes
  • auth_value

    857bdfe4fa14711025859d89f18b32cb

Targets

    • Target

      56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66

    • Size

      660KB

    • MD5

      1f2d4b0f5bd86a0cc8d5a845767ce021

    • SHA1

      9d69920556dcb2c1ebb1ab5b9937fb8367a566b1

    • SHA256

      56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66

    • SHA512

      a334459a5ab58ea05d322f8cb0fe158b7c28275362b8c4b176d59df842555a05fa4f2b6a16bebde9d25e1ac62c3aa8c0a53076d0d42124b0727cbcec96554492

    • SSDEEP

      12288:0MrPy90m7gV/dP9g/mTvxLjzbE2LhwTei8G51T/ybxeYjYb3fwbM9jfa:byd78/dS/avxL1wp8G51T/ybY3b3fT9G

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks