General

  • Target

    52c82f6ceb8cf41de8a4c01b313e3712.exe

  • Size

    2.5MB

  • Sample

    241215-j41h1azpgn

  • MD5

    52c82f6ceb8cf41de8a4c01b313e3712

  • SHA1

    69b699431dbbee3b6fd76d762a27db30f1f792b5

  • SHA256

    0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9

  • SHA512

    b1022ea6a0859679f33c7d01918a2b63278205f61d9d0d77be8f34f5f973ae67b0f049353358521dac3dc0e1f43af93204f2cda17b0a0e3d4f28708d69f12aab

  • SSDEEP

    12288:CId+rFKcOyCwoXjMbTKLNhEpZ4m0vXQKQrxgbcv0NTR:7d+9CwoXjMbTUhgqm01cvkTR

Malware Config

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Targets

    • Target

      52c82f6ceb8cf41de8a4c01b313e3712.exe

    • Size

      2.5MB

    • MD5

      52c82f6ceb8cf41de8a4c01b313e3712

    • SHA1

      69b699431dbbee3b6fd76d762a27db30f1f792b5

    • SHA256

      0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9

    • SHA512

      b1022ea6a0859679f33c7d01918a2b63278205f61d9d0d77be8f34f5f973ae67b0f049353358521dac3dc0e1f43af93204f2cda17b0a0e3d4f28708d69f12aab

    • SSDEEP

      12288:CId+rFKcOyCwoXjMbTKLNhEpZ4m0vXQKQrxgbcv0NTR:7d+9CwoXjMbTUhgqm01cvkTR

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks