General

  • Target

    slinkyloader.exe

  • Size

    18.5MB

  • Sample

    240420-w5df3seg46

  • MD5

    640e7e74b5efd1bcd03a733e21e55a5f

  • SHA1

    028ae95e3b5441f51087fed53262f487729e0696

  • SHA256

    dc98ef1726f2241bec4e48a438da3db98ed4d5703dd50d9bf1b18c272ff643eb

  • SHA512

    d554f5e01389fb0277d0da054fffdce710df8f2d82ca6ccc683150483bef52a972c6991169a34fc3911c3f86911fdcda0c1689669fc3bf7c1c09e68491869225

  • SSDEEP

    393216:LKRqNWNKROYkhkpXorNv+oXsDS3LNK3HOU6x0pW/lJktSrZPLAB:WANWKRrpYrNvou7NK3uU6E29dPL

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

john-nil.gl.at.ply.gg:32513

Targets

    • Target

      slinkyloader.exe

    • Size

      18.5MB

    • MD5

      640e7e74b5efd1bcd03a733e21e55a5f

    • SHA1

      028ae95e3b5441f51087fed53262f487729e0696

    • SHA256

      dc98ef1726f2241bec4e48a438da3db98ed4d5703dd50d9bf1b18c272ff643eb

    • SHA512

      d554f5e01389fb0277d0da054fffdce710df8f2d82ca6ccc683150483bef52a972c6991169a34fc3911c3f86911fdcda0c1689669fc3bf7c1c09e68491869225

    • SSDEEP

      393216:LKRqNWNKROYkhkpXorNv+oXsDS3LNK3HOU6x0pW/lJktSrZPLAB:WANWKRrpYrNvou7NK3uU6E29dPL

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks