Overview

overview

10

Static

static

3

build.exe

windows10-1703-x64

10

build.exe

windows10-2004-x64

10

build.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    build.exe

  • Size

    351KB

  • Sample

    240505-wlx2dabg97

  • MD5

    e00381635f0deee1380080b322aec301

  • SHA1

    751c7ac25d1cbd1a789bea64f46bb226d9cd43e1

  • SHA256

    18c790568c6e0e30d600135a33a9e41ff55e076600fec006772d95849abc4def

  • SHA512

    f401016e001ffad5e731c6afb333acd3124dd8c9d2187b06cc38a4094cb2e67bfd5b8a732587df92ab34bd4902b94cdc5ab5aeb413af857777fb5e5fd13b62a3

  • SSDEEP

    6144:Vkup0yN90QEsvxUDJchSJrcu78hp1mQlZDJ0ML:Wy900WDJLJrtKp1mGRJ0g

Score
10/10
redlinesectopratcheatexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

ii-restored.gl.at.ply.gg:43416

Targets

    • Target

      build.exe

    • Size

      351KB

    • MD5

      e00381635f0deee1380080b322aec301

    • SHA1

      751c7ac25d1cbd1a789bea64f46bb226d9cd43e1

    • SHA256

      18c790568c6e0e30d600135a33a9e41ff55e076600fec006772d95849abc4def

    • SHA512

      f401016e001ffad5e731c6afb333acd3124dd8c9d2187b06cc38a4094cb2e67bfd5b8a732587df92ab34bd4902b94cdc5ab5aeb413af857777fb5e5fd13b62a3

    • SSDEEP

      6144:Vkup0yN90QEsvxUDJchSJrcu78hp1mQlZDJ0ML:Wy900WDJLJrtKp1mGRJ0g

    Score
    10/10
    redlinesectopratcheatexecutioninfostealerpersistenceratspywaretrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence
    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks