Overview

overview

10

Static

static

3

e@zy_start.exe

windows7-x64

1

e@zy_start.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    [email protected]

  • Size

    148.4MB

  • Sample

    240630-jkxyrsvejb

  • MD5

    e9a7edfdb82ed2b9f6cb31bcc438c690

  • SHA1

    cd51fd08928961645f1b238ad0ad3f78f4a54289

  • SHA256

    8e0543407eeeae125e31d12c41c6678eb46dd8737ed58e5a17a6ff48bd56fd6a

  • SHA512

    9f131cfbfc25492fa2eca7ab112a93cbf5056d1c87b2e12953d4ee2aef6792ba012d28a4fbebfdbbc4454fa79e11e97d65f25449416a084575b11dc7cf96b106

  • SSDEEP

    3145728:3lT2amsbjBDXyF1f6QaOZcEeDdI2bOBc1hI6OHiekMGfRuUmuLpRhv:VT2AjBDCHf6QPZc/iBc1hDOHiQGsiv

Score
10/10
redline@tronzzzdiscoveryexecutioninfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

@tronzzz

C2

94.228.166.68:80

Targets

    • Target

      e@zy_start.exe

    • Size

      782.4MB

    • MD5

      0db1b5fae054951e07208f6fa22367ad

    • SHA1

      b21a2f734293aa21acbefb814043d55a74616a7a

    • SHA256

      70a6a3cd35cf1f118f749b8557301ae3f9e477edb3eceaaea7c6b030fb5963b9

    • SHA512

      625e6090010212eb52201cb5a3cd48752a2feab57037f8a54f2472b0b8428ee20b444d7cdcb9fa42b443c4e79767b87b47dc3aeb1044c2e2a7ba699e0ee126b0

    • SSDEEP

      98304:YkQIzJ7T7q/ap2fZAq0G+qkct8lGgXMcYc9cDcYc9cDcYc9cDcYc9cDcYc9cDcYt:YkQINn7q/BSxGBktFc

    Score
    10/10
    redline@tronzzzdiscoveryexecutioninfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks