General

  • Target

    27e57b661c54816dd0281cd9507be4e0

  • Size

    876KB

  • Sample

    231231-exynlsaaen

  • MD5

    27e57b661c54816dd0281cd9507be4e0

  • SHA1

    00f2341b3c61474ddf599713a5d4fce358b1a368

  • SHA256

    2c097f75f70db6da229e183ca9707ca241e5c7b9ce481bd79a9110038edac455

  • SHA512

    5b3ccf39667336ea75942c3e6a44c659319b9a3ff19c5ef441c94cbfec621675add016374d83be86be364d0eadad5fbb35d1cca9d043569bf6c6f3c52b32c1ae

  • SSDEEP

    24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

Malware Config

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Targets

    • Target

      27e57b661c54816dd0281cd9507be4e0

    • Size

      876KB

    • MD5

      27e57b661c54816dd0281cd9507be4e0

    • SHA1

      00f2341b3c61474ddf599713a5d4fce358b1a368

    • SHA256

      2c097f75f70db6da229e183ca9707ca241e5c7b9ce481bd79a9110038edac455

    • SHA512

      5b3ccf39667336ea75942c3e6a44c659319b9a3ff19c5ef441c94cbfec621675add016374d83be86be364d0eadad5fbb35d1cca9d043569bf6c6f3c52b32c1ae

    • SSDEEP

      24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks