General

  • Target

    545e929d4444c8b17f5a1f5a08efc088.exe

  • Size

    662KB

  • Sample

    240111-y1cebsffbl

  • MD5

    545e929d4444c8b17f5a1f5a08efc088

  • SHA1

    57f6234b23349f4470693c772e1a3b3673109d8f

  • SHA256

    6508c95b3207397a7bae85d516d87267e8789428f06e743618310e1cddef6f4b

  • SHA512

    84501c2f9759c75366a0d6e63362244602bf8cdf9b80a4ea67a3c63197e7899380e0ac33fdf19f6966ae56468419218ff6ce59585507bf524835fcd45a09a03f

  • SSDEEP

    12288:WqDLhsTt4fsSR036C5zpWl9ZY1gbH7QBcEolPwiIPH2:WqDLhSt4fsSRA6C5lWl9Zogj7QBcEolp

Malware Config

Extracted

Family

redline

Botnet

1853653057

C2

185.250.206.122:43180

Targets

    • Target

      545e929d4444c8b17f5a1f5a08efc088.exe

    • Size

      662KB

    • MD5

      545e929d4444c8b17f5a1f5a08efc088

    • SHA1

      57f6234b23349f4470693c772e1a3b3673109d8f

    • SHA256

      6508c95b3207397a7bae85d516d87267e8789428f06e743618310e1cddef6f4b

    • SHA512

      84501c2f9759c75366a0d6e63362244602bf8cdf9b80a4ea67a3c63197e7899380e0ac33fdf19f6966ae56468419218ff6ce59585507bf524835fcd45a09a03f

    • SSDEEP

      12288:WqDLhsTt4fsSR036C5zpWl9ZY1gbH7QBcEolPwiIPH2:WqDLhSt4fsSRA6C5lWl9Zogj7QBcEolp

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks