redline

General

Target

9a39e9f69780a5c38628b9ef94cc8309c9ebb4272f837b19ed2fc09da998154e
Size

181KB
Sample

240419-a971lach2w
MD5

7465d871f23a705db0b2b6730c74e786
SHA1

780d13eedd18f6646d1d9fda46b7dd55d9244575
SHA256

9a39e9f69780a5c38628b9ef94cc8309c9ebb4272f837b19ed2fc09da998154e
SHA512

8c5588fc38283f18da703ac23fd90ac9f52b57c2b51667de35967c2a8dae37fb25008469c13153217f4712298a8a4d75e7a2743fb4f668668dd8efb12e5dcb25
SSDEEP

3072:QQW8lTQY0ndQZn/jJtILH4htDcS9uG55keLiwRZhEAxHpvhcOjD9dwj+ltu:17TQXndQdqHAlcS9uGZLiwj7JvhcOjDs

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

195.10.205.79:30525

Targets

- Target
  
  9a39e9f69780a5c38628b9ef94cc8309c9ebb4272f837b19ed2fc09da998154e
- Size
  
  181KB
- MD5
  
  7465d871f23a705db0b2b6730c74e786
- SHA1
  
  780d13eedd18f6646d1d9fda46b7dd55d9244575
- SHA256
  
  9a39e9f69780a5c38628b9ef94cc8309c9ebb4272f837b19ed2fc09da998154e
- SHA512
  
  8c5588fc38283f18da703ac23fd90ac9f52b57c2b51667de35967c2a8dae37fb25008469c13153217f4712298a8a4d75e7a2743fb4f668668dd8efb12e5dcb25
- SSDEEP
  
  3072:QQW8lTQY0ndQZn/jJtILH4htDcS9uG55keLiwRZhEAxHpvhcOjD9dwj+ltu:17TQXndQdqHAlcS9uGZLiwj7JvhcOjDs
Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects .NET executables utilizing NyanX-CAT C# Loader
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

SectopRAT

SectopRAT payload

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects .NET executables utilizing NyanX-CAT C# Loader

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2