Overview

overview

10

Static

static

1

New order ...23.exe

windows7-x64

1

New order ...23.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New order RS302-2023.exe

  • Size

    1.5MB

  • Sample

    230213-kpavgabd9y

  • MD5

    79f29087b398759dea999db7057989c4

  • SHA1

    246f73151b02a4c27285aa7ff3ce4bcb3f63fe0d

  • SHA256

    1e82ed7a9d804175a7b412ac27314dbdf2e2c3453aca9954a12a30a521f47a8d

  • SHA512

    c0606b2afd5e3d17a22a573bcd934e59b8b39bf2c3f7746fc4bef64167dd2691aad0cffcf709194c92be29db718cc38a7b771716d0660af5b7fbe3d9dc584024

  • SSDEEP

    24576:ATEJn2l0Sq9c8CsQxUau+Eiu4Vk3XS4uIgByzgeGYKGb4BXy/A4H8tVytC:AE2l0e8CsQxa6v4TN0s4BXyxHsVy

Score
10/10
redlinerhadamanthyssectopratv1infostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

V1

C2

192.227.144.59:12210

Targets

    • Target

      New order RS302-2023.exe

    • Size

      1.5MB

    • MD5

      79f29087b398759dea999db7057989c4

    • SHA1

      246f73151b02a4c27285aa7ff3ce4bcb3f63fe0d

    • SHA256

      1e82ed7a9d804175a7b412ac27314dbdf2e2c3453aca9954a12a30a521f47a8d

    • SHA512

      c0606b2afd5e3d17a22a573bcd934e59b8b39bf2c3f7746fc4bef64167dd2691aad0cffcf709194c92be29db718cc38a7b771716d0660af5b7fbe3d9dc584024

    • SSDEEP

      24576:ATEJn2l0Sq9c8CsQxUau+Eiu4Vk3XS4uIgByzgeGYKGb4BXy/A4H8tVytC:AE2l0e8CsQxa6v4TN0s4BXyxHsVy

    Score
    10/10
    redlinerhadamanthyssectopratv1infostealerratspywarestealertrojan

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks