General

  • Target

    S500 RAT.zip

  • Size

    41.6MB

  • Sample

    230928-rx2fqadd68

  • MD5

    e965e26a748de8e772762b990e8b2444

  • SHA1

    14d59ba82a1864ddcd702833eaa5fda25fc6cde5

  • SHA256

    2100b0587c37d38428aafa6e17696ac99f86d57bef16c97d484f51ae54cb440f

  • SHA512

    4962fc8b46ff66f28e2482fb367494868f770317e0f720a3b65b5602df481048f3ca3380c7318cbe8a4db4505f08e30209b319a4ea8f84b3c6df66001b748969

  • SSDEEP

    786432:LhX8h0I2ufN4fDbjQl7oGfjTKuLfGLaHJh1PRyU41LsoGFl5/7l+7E+:mhPfNWbUl7oGrhhn1ZMCt5Dl3+

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://pastebin.com/raw/p2s7tDSd

Targets

    • Target

      S500 RAT.zip

    • Size

      41.6MB

    • MD5

      e965e26a748de8e772762b990e8b2444

    • SHA1

      14d59ba82a1864ddcd702833eaa5fda25fc6cde5

    • SHA256

      2100b0587c37d38428aafa6e17696ac99f86d57bef16c97d484f51ae54cb440f

    • SHA512

      4962fc8b46ff66f28e2482fb367494868f770317e0f720a3b65b5602df481048f3ca3380c7318cbe8a4db4505f08e30209b319a4ea8f84b3c6df66001b748969

    • SSDEEP

      786432:LhX8h0I2ufN4fDbjQl7oGfjTKuLfGLaHJh1PRyU41LsoGFl5/7l+7E+:mhPfNWbUl7oGrhhn1ZMCt5Dl3+

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks