2023-03-02 (THURSDAY) - RIG EK --> MALWARE LOADER --> REDLINE STEALER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2023-03-02-IOCs-for-RigEK-to-loader-to-Redline-Stealer.txt.zip   0.8 kB   (852 bytes)
• 2023-03-02-RigEK-to-malware-loader-to-Redline-Stealer.pcap.zip   3.7 MB   (3,699,749 bytes)
• 2023-03-02-RigEK-and-Redline-Stealer-malware-and-artifacts.zip   1.0 MB   (1,032,221 bytes)

 

2023-03-02 (THURSDAY): RIG EK --> MALWARE LOADER --> REDLINE STEALER                                                   

RIG EK:

- 188.227.106[.]13 port 80 - 188.227.106[.]13 - HTTP traffic for Rig EK

POST-INFECTION TRAFFIC:

- 62.204.41[.]175 port 80 - 62.204.41[.]175 - GET /putingods.exe
- 62.204.41[.]175 port 44271 - TCP traffic for Redline data exfiltration

MALWARE AND ARTIFACTS:

- SHA256 hash: 4e97f69d7c89a4e913370355f093917758f75a3895caa55f0c3b46a6b7843116
- File size: 1,164 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\U.tMp
- File description: Artifact created during Rig EK infection

- SHA256 hash: 2a2570f4ee8db070a14de197ddd328260059b63528d8eaf3e0d39972a88161bf
- File size: 1,508,352 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\zjuz0.exe
- File description: Rig EK payload, a malware loader EXE

- SHA256 hash: 0795128a43b086cdc6b8a4036b318a5ba32762cc387a86b42e7211e6d3e164ad
- File size: 786,944 bytes
- File location: hxxp://62.204.41[.]175/putingods.exe
- File description: Redline Stealer retreived by above Rig EK payload

 

IMAGES

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.