Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com

windows10-1703-x64

10

Resubmissions

09-07-2024 04:19

240709-exzwnswbnr 8

08-07-2024 07:13

240708-h2an5azgkg 6

07-07-2024 10:00

240707-l1l8ba1gqb 10

07-07-2024 09:59

240707-l1e41a1gpc 1

06-07-2024 07:41

240706-jjdhqstcpg 4

06-07-2024 06:14

240706-gzq3na1blh 1

06-07-2024 06:14

240706-gzmegaybjq 4

05-07-2024 10:41

240705-mrjlhawhpp 4

05-07-2024 10:30

240705-mj4lpsyhlc 4

05-07-2024 10:17

240705-mble6awfnq 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://github.com

  • Sample

    240707-l1l8ba1gqb

Score
10/10
redlinediscoveryevasionexecutioninfostealerpersistencespyware

Malware Config

Extracted

Family

redline

C2

185.196.9.26:6302

Targets

    • Target

      https://github.com

    Score
    10/10
    redlinediscoveryevasionexecutioninfostealerpersistencespyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks