Overview

overview

10

Static

static

исходник.exe

windows7_x64

6

исходник.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    исходник.exe

  • Size

    2.6MB

  • Sample

    220127-vd64msgafn

  • MD5

    cb267c252a42ed8e1de90463e2ab4013

  • SHA1

    fcfc74cfc893c4b454cfcc190a51fc9e9b6b265b

  • SHA256

    1ec0a7cf579b43db873c885bb6fcee2e082ef92fe423372acec2cab9bd9040c0

  • SHA512

    ece505a79a2e2b84b731ece8024e37f4da579f6af1555ad6ae2088c5fe4c5884819e64a4ca7b42fcee464912179e88a9782566cf5f2ff18f9bf63121e5045b01

Score
10/10
echelonredlinesapphireinfostealerspywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Targets

    • Target

      исходник.exe

    • Size

      2.6MB

    • MD5

      cb267c252a42ed8e1de90463e2ab4013

    • SHA1

      fcfc74cfc893c4b454cfcc190a51fc9e9b6b265b

    • SHA256

      1ec0a7cf579b43db873c885bb6fcee2e082ef92fe423372acec2cab9bd9040c0

    • SHA512

      ece505a79a2e2b84b731ece8024e37f4da579f6af1555ad6ae2088c5fe4c5884819e64a4ca7b42fcee464912179e88a9782566cf5f2ff18f9bf63121e5045b01

    Score
    10/10
    echelonredlinesapphireinfostealerspywarestealersuricata

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks