General

  • Target

    12ffa1176b818fa9f207f35ee65fb78c

  • Size

    876KB

  • Sample

    231230-jz3skaacg2

  • MD5

    12ffa1176b818fa9f207f35ee65fb78c

  • SHA1

    f94354dab1f9b9bc3cd2b9fe5ac58bdd455b29e8

  • SHA256

    87b99b98b8ad4340eb617be1a91a09995f3d878f8b9b4a6e613593db894419cd

  • SHA512

    f412968e059d18f3dbaf1e7d77f08e993e967b97e4edd72713142b6576d053dfbd241378b6ec5ffa8f3930b9d2f48ff9806c56ae2e5aa37c330cca2510ac55e0

  • SSDEEP

    24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

Malware Config

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Targets

    • Target

      12ffa1176b818fa9f207f35ee65fb78c

    • Size

      876KB

    • MD5

      12ffa1176b818fa9f207f35ee65fb78c

    • SHA1

      f94354dab1f9b9bc3cd2b9fe5ac58bdd455b29e8

    • SHA256

      87b99b98b8ad4340eb617be1a91a09995f3d878f8b9b4a6e613593db894419cd

    • SHA512

      f412968e059d18f3dbaf1e7d77f08e993e967b97e4edd72713142b6576d053dfbd241378b6ec5ffa8f3930b9d2f48ff9806c56ae2e5aa37c330cca2510ac55e0

    • SSDEEP

      24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks