General

  • Target

    1fda1039c8060a1e5ca2442b4e239f1192e3ce4ba18bce6044c25f6c68c1fc68

  • Size

    815KB

  • Sample

    241109-xs2tkssrbr

  • MD5

    f5a9b33a0259ab94515456f9cc5de5c5

  • SHA1

    89272fbd0c5b9c386ec4c7d748a22b330665b5b8

  • SHA256

    1fda1039c8060a1e5ca2442b4e239f1192e3ce4ba18bce6044c25f6c68c1fc68

  • SHA512

    0e4bbb25a0e162752e4894e9f20e367b6e59f7f7caf18f4d4b0f00a4cd28dc6a7b3b34e548cbf25f3d56ff734687c97eb29a14f275059332d9f64977e4b867f3

  • SSDEEP

    12288:by903FAixx219QRWPAfxR4x2mkZKtPk8P83aDWLRhlQzy5IM0eldonN:byUCxglp2Qb0tPT8mWLZygZ0dN

Malware Config

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes
  • auth_value

    d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes
  • auth_value

    ae85b01f66afe8770afeed560513fc2d

Targets

    • Target

      1fda1039c8060a1e5ca2442b4e239f1192e3ce4ba18bce6044c25f6c68c1fc68

    • Size

      815KB

    • MD5

      f5a9b33a0259ab94515456f9cc5de5c5

    • SHA1

      89272fbd0c5b9c386ec4c7d748a22b330665b5b8

    • SHA256

      1fda1039c8060a1e5ca2442b4e239f1192e3ce4ba18bce6044c25f6c68c1fc68

    • SHA512

      0e4bbb25a0e162752e4894e9f20e367b6e59f7f7caf18f4d4b0f00a4cd28dc6a7b3b34e548cbf25f3d56ff734687c97eb29a14f275059332d9f64977e4b867f3

    • SSDEEP

      12288:by903FAixx219QRWPAfxR4x2mkZKtPk8P83aDWLRhlQzy5IM0eldonN:byUCxglp2Qb0tPT8mWLZygZ0dN

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks