redline | 235e6d8a984c6c293b737d5a59960cfb3a091945da8aade6e7dfa16a8209dd7f | Triage

Submit
Reports

Overview

overview

Static

static

3

f3e4e1a649...18.exe

windows7-x64

f3e4e1a649...18.exe

windows10-2004-x64

Sharing

General

Target

f3e4e1a649176fa6496a36faea34cead_JaffaCakes118
Size

876KB
Sample

240416-t9sepagg41
MD5

f3e4e1a649176fa6496a36faea34cead
SHA1

3d31a5d9dda58e53119ca6b2a72b432fbf3e6479
SHA256

235e6d8a984c6c293b737d5a59960cfb3a091945da8aade6e7dfa16a8209dd7f
SHA512

3d9099e77200813aa1ee6997e8778863f434f91c4bfcb963dc985bbe251b457a770cd7ba9de1b651b71d9af83de761e6de283d594095635fc981d7331f1ff3e0
SSDEEP

24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

Score

10^/10

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe

Resource

win7-20240221-en

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe

Resource

win10v2004-20240412-en

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Targets

- Target
  
  f3e4e1a649176fa6496a36faea34cead_JaffaCakes118
- Size
  
  876KB
- MD5
  
  f3e4e1a649176fa6496a36faea34cead
- SHA1
  
  3d31a5d9dda58e53119ca6b2a72b432fbf3e6479
- SHA256
  
  235e6d8a984c6c293b737d5a59960cfb3a091945da8aade6e7dfa16a8209dd7f
- SHA512
  
  3d9099e77200813aa1ee6997e8778863f434f91c4bfcb963dc985bbe251b457a770cd7ba9de1b651b71d9af83de761e6de283d594095635fc981d7331f1ff3e0
- SSDEEP
  
  24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU
Score

10^/10

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectopratbuild2_mastifagilenetinfostealerpersistencerattrojan

behavioral2

redlinesectopratbuild2_mastifagilenetinfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy