General

  • Target

    54912a5f615fd6b057315b741ad01060

  • Size

    1.8MB

  • Sample

    240111-zs8m8sgecr

  • MD5

    54912a5f615fd6b057315b741ad01060

  • SHA1

    e31668d8f66142e787796de6816ea1ad1c74af76

  • SHA256

    6c6b409d867e26d5db4fbef89f446dedd80471acc9bd62498ad289ea653588b8

  • SHA512

    656de85abf1d02009b2db76f4b2dd6f538fe886f9e99ebcd9c3b73029e7a2b2c8c25d2bbae05cf1c0315dbcd416489b5ebfd5f359c4914651ace7e0a703e9b0d

  • SSDEEP

    49152:lXWDCw311GflCOYep0/VfJW06OBtMVN2W1TW:lmGw311Gfl+euVfJVHtM3ZTW

Malware Config

Extracted

Family

redline

C2

54.38.123.247:8696

Targets

    • Target

      54912a5f615fd6b057315b741ad01060

    • Size

      1.8MB

    • MD5

      54912a5f615fd6b057315b741ad01060

    • SHA1

      e31668d8f66142e787796de6816ea1ad1c74af76

    • SHA256

      6c6b409d867e26d5db4fbef89f446dedd80471acc9bd62498ad289ea653588b8

    • SHA512

      656de85abf1d02009b2db76f4b2dd6f538fe886f9e99ebcd9c3b73029e7a2b2c8c25d2bbae05cf1c0315dbcd416489b5ebfd5f359c4914651ace7e0a703e9b0d

    • SSDEEP

      49152:lXWDCw311GflCOYep0/VfJW06OBtMVN2W1TW:lmGw311Gfl+euVfJVHtM3ZTW

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks