General

  • Target

    c6a8f3d39b2490346ec60813a441e1d6

  • Size

    876KB

  • Sample

    240313-xxfrxafd33

  • MD5

    c6a8f3d39b2490346ec60813a441e1d6

  • SHA1

    c66ed4bf05e754119a63d3d161d90b5af00224de

  • SHA256

    cee2541ee22b95d488c239a3926b43d750988b246e00740d283d5f892f9939e3

  • SHA512

    dacb10721f50d7e002bb1a0a7e9f7af2ad722775f506cf9732bacef6615e203a03c8d8a5c8fbb2773e11d5f6a7177d1072a191b707ef00600543f8262929b5d2

  • SSDEEP

    24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

Malware Config

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Targets

    • Target

      c6a8f3d39b2490346ec60813a441e1d6

    • Size

      876KB

    • MD5

      c6a8f3d39b2490346ec60813a441e1d6

    • SHA1

      c66ed4bf05e754119a63d3d161d90b5af00224de

    • SHA256

      cee2541ee22b95d488c239a3926b43d750988b246e00740d283d5f892f9939e3

    • SHA512

      dacb10721f50d7e002bb1a0a7e9f7af2ad722775f506cf9732bacef6615e203a03c8d8a5c8fbb2773e11d5f6a7177d1072a191b707ef00600543f8262929b5d2

    • SSDEEP

      24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks