redline

General

Target

0d6c896c5a03275b016b6c396a3188d6_JaffaCakes118
Size

3.3MB
Sample

240625-knxmvasfnm
MD5

0d6c896c5a03275b016b6c396a3188d6
SHA1

3b4d5c81b97d58770adffec69073745e938c93b2
SHA256

ef4bfc8695a0eef80365ae2e0bbf8078045e10e71a33e5fcae0c2ffddd923001
SHA512

f5bd40920803a173a5db025f04a3620065bcf0f2c87d8469a33a1729424180483d06ec05934e24c76d58c03108616e42aa68efe2be085f1a8c330fa81da32528
SSDEEP

49152:ij5TDib7I2qjdhcqEpQeiJcCCmmO5VxwHKvRGsb3/Zw5YNUhrDOHk5+Z:ij5T2bwrxZsFmLvSIGsba6N2PUgk

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

mastif

C2

194.156.99.23:5133

Targets

- Target
  
  0d6c896c5a03275b016b6c396a3188d6_JaffaCakes118
- Size
  
  3.3MB
- MD5
  
  0d6c896c5a03275b016b6c396a3188d6
- SHA1
  
  3b4d5c81b97d58770adffec69073745e938c93b2
- SHA256
  
  ef4bfc8695a0eef80365ae2e0bbf8078045e10e71a33e5fcae0c2ffddd923001
- SHA512
  
  f5bd40920803a173a5db025f04a3620065bcf0f2c87d8469a33a1729424180483d06ec05934e24c76d58c03108616e42aa68efe2be085f1a8c330fa81da32528
- SSDEEP
  
  49152:ij5TDib7I2qjdhcqEpQeiJcCCmmO5VxwHKvRGsb3/Zw5YNUhrDOHk5+Z:ij5T2bwrxZsFmLvSIGsba6N2PUgk
Score

10^/10

redline sectoprat mastif agilenet evasion infostealer rat themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

SectopRAT

SectopRAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2