Overview

overview

10

Static

static

10

4a5e4b6764...75.exe

windows7-x64

10

4a5e4b6764...75.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a5e4b6764dc780fd11055c6324a0875.exe

  • Size

    136KB

  • Sample

    230320-ccph4abc76

  • MD5

    4a5e4b6764dc780fd11055c6324a0875

  • SHA1

    ac711ae5b692c63ade36482e5532db153f208abd

  • SHA256

    b66dd893c2dc2c5e7f23595a9cda5b65d70adb2df285c17b03ed0eaacffcf1b8

  • SHA512

    5ecd8f23324255882e77cd1b87775a528e38af1a266e6dcf4888050eebae4ae827d1b17f4b74706a2099385d261b492ce39ba6bcc4872baf36b4d940d4db9e46

  • SSDEEP

    1536:JxqjQ+P04wsmJCmzi0Zb78ivombfexv0ujXyyed2k3tmulgS6p8li1qqsCbqDylI:sr85Cmzi0ZbYe1g0ujyzdO8iYEwiYjV

Score
10/10
neshtaredlinesectopratcheatinfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

8.tcp.ngrok.io:10052

Targets

    • Target

      4a5e4b6764dc780fd11055c6324a0875.exe

    • Size

      136KB

    • MD5

      4a5e4b6764dc780fd11055c6324a0875

    • SHA1

      ac711ae5b692c63ade36482e5532db153f208abd

    • SHA256

      b66dd893c2dc2c5e7f23595a9cda5b65d70adb2df285c17b03ed0eaacffcf1b8

    • SHA512

      5ecd8f23324255882e77cd1b87775a528e38af1a266e6dcf4888050eebae4ae827d1b17f4b74706a2099385d261b492ce39ba6bcc4872baf36b4d940d4db9e46

    • SSDEEP

      1536:JxqjQ+P04wsmJCmzi0Zb78ivombfexv0ujXyyed2k3tmulgS6p8li1qqsCbqDylI:sr85Cmzi0ZbYe1g0ujyzdO8iYEwiYjV

    Score
    10/10
    neshtaredlinesectopratcheatinfostealerpersistenceratspywarestealertrojan

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks