Resubmissions

03-02-2023 01:45

230203-b6fmlshg33 10

02-02-2023 21:18

230202-z5z7maba8z 10

02-02-2023 21:02

230202-zvr39sah6z 10

General

  • Target

    a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c.zip

  • Size

    943B

  • Sample

    230203-b6fmlshg33

  • MD5

    cdc031e5ba9bc2934c85c07e309fd785

  • SHA1

    68334c5368aebd16e4e9ded0793df489eb94ad3b

  • SHA256

    fe691ec7c2a992948fe3bdd861ef9c93e49521cc7a310fae87dd61704b73904f

  • SHA512

    82444bf09d2fc6c3553954ebcb7c1d66f5eff4ac08acd3d8d05c6c100da067e10841f60ecda8871b820d16f00d59bb3d6e59034344dd2d8234cb7cd991e7230c

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe

Extracted

Family

redline

Botnet

cheat

C2

194.26.192.248:7053

Targets

    • Target

      a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c.lnk

    • Size

      2KB

    • MD5

      ef7f9739337bc657cd0a63e32e27d0a1

    • SHA1

      bf67555a7272f24ceb57b1c49e4cf37dc17b246f

    • SHA256

      a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c

    • SHA512

      e3d0a14ac1b9165e75e619aa6f76058a4c799bb722abaeafac977c35f31ab10ad8c8a51c7f3828bb896cbf339f971974a4fb26421ba6aea52530ac84b7785ada

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks