Overview

overview

10

Static

static

10

18b8eaaca1...7c.exe

windows7-x64

10

18b8eaaca1...7c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    18b8eaaca17c55a378a88b6767b14d7c.exe

  • Size

    199KB

  • Sample

    230309-xhgewsbd41

  • MD5

    18b8eaaca17c55a378a88b6767b14d7c

  • SHA1

    cc3b16b0cee1476790ace32097d7a5e903d3ee50

  • SHA256

    a591e8d5b6ebe119919fe949d09e56224547f0cc511f21244c7cf77447e1f071

  • SHA512

    d193e675688a43bc3caad08ea7e3b58d40f7eca01ee562ab213915f76a3ea245b4b168fb19c15523cceee937b428a147d8537e80d11a881e0cd8be13750a2fa6

  • SSDEEP

    3072:VzMkEejtozYaGKfYE7VcCAZXiLF6nzL6LHVLKs+qb6jNXlwZA8a00f:VzpEQ+soAEpcCAZXiLF6zL6NPkwer

Score
10/10
eternityredlinesectopratnew1discoveryinfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    http://95.214.27.203:8080/upload/wrapper.exe

    http://95.214.27.203:8080/upload/oigmre.exe,http://95.214.27.203:8080/upload/handler.exe

Extracted

Family

redline

Botnet

new1

C2

85.31.46.182:12767

Targets

    • Target

      18b8eaaca17c55a378a88b6767b14d7c.exe

    • Size

      199KB

    • MD5

      18b8eaaca17c55a378a88b6767b14d7c

    • SHA1

      cc3b16b0cee1476790ace32097d7a5e903d3ee50

    • SHA256

      a591e8d5b6ebe119919fe949d09e56224547f0cc511f21244c7cf77447e1f071

    • SHA512

      d193e675688a43bc3caad08ea7e3b58d40f7eca01ee562ab213915f76a3ea245b4b168fb19c15523cceee937b428a147d8537e80d11a881e0cd8be13750a2fa6

    • SSDEEP

      3072:VzMkEejtozYaGKfYE7VcCAZXiLF6nzL6LHVLKs+qb6jNXlwZA8a00f:VzpEQ+soAEpcCAZXiLF6zL6NPkwer

    Score
    10/10
    eternityredlinesectopratnew1discoveryinfostealerpersistenceratspywarestealertrojan

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks