General

  • Target

    System32.exe

  • Size

    5.3MB

  • Sample

    241216-hlxtqazqbp

  • MD5

    d4817ea043beaf35d19fa6a5adaa179c

  • SHA1

    bf5c75100142731e737c04b55769c4479bef0c01

  • SHA256

    da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d

  • SHA512

    98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277

  • SSDEEP

    98304:euP+GgrLRHeOxxsJFoQYVCkOTfOKfKQMZ8htPwCakmxrcTZcV+TQB:l+GgLRJghYckmmKfFMZqtMkicZcV2e

Malware Config

Extracted

Family

redline

Botnet

duc

C2

159.223.34.114:1912

Targets

    • Target

      System32.exe

    • Size

      5.3MB

    • MD5

      d4817ea043beaf35d19fa6a5adaa179c

    • SHA1

      bf5c75100142731e737c04b55769c4479bef0c01

    • SHA256

      da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d

    • SHA512

      98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277

    • SSDEEP

      98304:euP+GgrLRHeOxxsJFoQYVCkOTfOKfKQMZ8htPwCakmxrcTZcV+TQB:l+GgLRJghYckmmKfFMZqtMkicZcV2e

    • Modifies visiblity of hidden/system files in Explorer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks