General

  • Target

    ddf82eaf2707ce522623efb8724ec4d3def245b7edff76245da2eb902b0773bb.zip

  • Size

    364KB

  • Sample

    230328-kschgabg21

  • MD5

    fe34b1b6e54a6d411c7c0d7a1f8098d5

  • SHA1

    a49475672eee45be381ef37a35a7afe2e0db760f

  • SHA256

    fa3680e959871a8b7880231d204a715261c82e9c37ba79c2298e16e05aa975e5

  • SHA512

    2b449419dc5028e123f497d98d6f5c20db660222e4afef45f0447e1b32b709feaea5e1ad150c90202ed14b6fe9503958fb6f23887d30621ff494adf572884710

  • SSDEEP

    6144:QRoGho+5ItvZhmMxYnbgKqewARrxse8G528i0LSYBezA24r8KwX8+XpPy83f:yk5VxMBwAROtk28iKSVz+wKwX8+XZTf

Malware Config

Extracted

Family

redline

Botnet

azure

C2

68.219.104.74:56189

Targets

    • Target

      ddf82eaf2707ce522623efb8724ec4d3def245b7edff76245da2eb902b0773bb

    • Size

      637KB

    • MD5

      4aa0c7957da0e3a896ea83291b6e60ab

    • SHA1

      88fabfa45c3d2c7db2096bee7a59479593e2bb90

    • SHA256

      ddf82eaf2707ce522623efb8724ec4d3def245b7edff76245da2eb902b0773bb

    • SHA512

      300fb41e9563bef358d7db1543c8b2d966cbb2faf5b13d08bda04892fa9b11f65e0891734a62e77a60e3de1fe9ddff63acb3f42bcfd773946835ff1cbf7f4a6c

    • SSDEEP

      12288:N4H3Z0scDTvtXTDK+sW9O2q2uU0Q4vWkJ:NucDTJnquk

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks