Overview

overview

10

Static

static

3

asd/HackLoader.dll

windows7-x64

1

asd/HackLoader.dll

windows10-2004-x64

1

asd/asd.exe

windows7-x64

10

asd/asd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d9b0a9c06e7fac14fc3891a4378bccd424998a7c71c193ca4cf5062e6975f7b7

  • Size

    1.9MB

  • Sample

    241109-b6qsksvbrb

  • MD5

    3d9b5964bde8a0af79fa67f50d1c14ea

  • SHA1

    2ab618c2eb116cc0d482d3133e152e49a0245b67

  • SHA256

    d9b0a9c06e7fac14fc3891a4378bccd424998a7c71c193ca4cf5062e6975f7b7

  • SHA512

    312e889ee670969bd513178ace2ba862a00610892bd482b555df79a7def7f776a4943da9dca79de9a0e6aae287dd94154c10f3afc37593ce403134ea347b8100

  • SSDEEP

    49152:y5Vapp/+VqKzZkn/obBS9n9uy6QRxs93yfcpkUPEK/zFeNOlm:X/+Vqmkn/ob2nf6ywia7NY0lm

Score
10/10
redline1bootkitdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

1

C2

138.124.180.59:88

Targets

    • Target

      asd/HackLoader.dll

    • Size

      72KB

    • MD5

      0c9431ab4b97ec156e54e73ff372da97

    • SHA1

      a294b73236ab3e19afd5e00b496eedc29015b678

    • SHA256

      e29f74d1f86bce700a3ed027603531bcc7c58a5e0afd5ec22461534453a464cd

    • SHA512

      0608df1d1d004eff16474fd427b925cc950c5fb31a18e7632cbb8d531730ce0b2fde9b8b561a0327efe52a65d1d3c58bd87ad8cb3fe2e9a155ae4cf5ca51253d

    • SSDEEP

      1536:aK1c4nxybxPpTCnygbcR+1f4AQaH2Jt1Ixjx+9zUvAEv5XV:/9UPpTCTbpfL5Hu0kzUvAMP

    Score
    1/10
    behavioral1behavioral2

    • Target

      asd/asd.exe

    • Size

      1.9MB

    • MD5

      cc534308f17c36ccc99b06fc2d871b88

    • SHA1

      2b48a106d38be3dae4add81ac4a78deece210e4d

    • SHA256

      c68189a418b307e204e8771acc84d9d5cec0d1f9aa2c1290208fa15a9fdda017

    • SHA512

      ffa32e4e536aa2eb6d1aec5dca72258d5fe4ccba005601d43c0fd3feda0a4e9bdbc23775fd28deec8702c4db7ce07e181f5ab77d6b5546d4087748b6d6d03289

    • SSDEEP

      49152:ufVl2iMzzVhHVsX0NLFtP6O83XxPR7FIYNMIc8qH3Lc:IlezzV1VsXyLFtP61HxzIYNM7JA

    Score
    10/10
    redline1bootkitdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Redline family

      redline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks