General

  • Target

    58cd344626319c5b2a533871979b4225

  • Size

    1.9MB

  • Sample

    240113-nhscqaaac3

  • MD5

    58cd344626319c5b2a533871979b4225

  • SHA1

    7720d2f88a0ea1495ae13ceb6f9d5d08fa6a696e

  • SHA256

    c3e9175742396eb00a44a0c826d698ad3e639159d2ad81391f2a42e74196340e

  • SHA512

    7effb6fb2be297a3f5de7b6d85e3855eb667f80ae8649cdd0c6a3e8a4e3d691bfd817ae4c4630667f7104dd3ba5502c8558653d98756e7aefe60bce3a6522881

  • SSDEEP

    49152:v/QOhFsIBdVbb6Wvg6glBFSsSeRRoN83a5lbvw:v/bFsQfb6WvdglBFSCR2JI

Malware Config

Extracted

Family

redline

Botnet

qawsedrf

C2

65.21.162.231:41328

Targets

    • Target

      58cd344626319c5b2a533871979b4225

    • Size

      1.9MB

    • MD5

      58cd344626319c5b2a533871979b4225

    • SHA1

      7720d2f88a0ea1495ae13ceb6f9d5d08fa6a696e

    • SHA256

      c3e9175742396eb00a44a0c826d698ad3e639159d2ad81391f2a42e74196340e

    • SHA512

      7effb6fb2be297a3f5de7b6d85e3855eb667f80ae8649cdd0c6a3e8a4e3d691bfd817ae4c4630667f7104dd3ba5502c8558653d98756e7aefe60bce3a6522881

    • SSDEEP

      49152:v/QOhFsIBdVbb6Wvg6glBFSsSeRRoN83a5lbvw:v/bFsQfb6WvdglBFSCR2JI

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks