General

  • Target

    a84dc4822dcdf62bb8a2e6f61a33a25d

  • Size

    876KB

  • Sample

    240227-fx9xbahe7z

  • MD5

    a84dc4822dcdf62bb8a2e6f61a33a25d

  • SHA1

    e06315dd173c88c04be76f463e177e771e451830

  • SHA256

    abca859951c7af8cfda8687a22f911d82f132085b4a3a638a0ec06d945143af2

  • SHA512

    f546c2415bf33b1bfccd67e8e253228708be4063915b3aba9a7f1d97b76f5a9fb53c1288f42a0c6be7bb5ab975f2516d4108c9cfb7e3549d22909c53fd33df25

  • SSDEEP

    24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

Malware Config

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Targets

    • Target

      a84dc4822dcdf62bb8a2e6f61a33a25d

    • Size

      876KB

    • MD5

      a84dc4822dcdf62bb8a2e6f61a33a25d

    • SHA1

      e06315dd173c88c04be76f463e177e771e451830

    • SHA256

      abca859951c7af8cfda8687a22f911d82f132085b4a3a638a0ec06d945143af2

    • SHA512

      f546c2415bf33b1bfccd67e8e253228708be4063915b3aba9a7f1d97b76f5a9fb53c1288f42a0c6be7bb5ab975f2516d4108c9cfb7e3549d22909c53fd33df25

    • SSDEEP

      24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks