Overview

overview

10

Static

static

1

new.ps1

windows7-x64

6

new.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    new.zip

  • Size

    145KB

  • Sample

    240705-p5kf3a1ejc

  • MD5

    2a42a28635f5e9ad7592845f1eaa0101

  • SHA1

    6dea7043bf92a0763741328490ea49efe499a717

  • SHA256

    7d27d6d1580326ac63d04df92ed0f054df38dae95f79fd88d62501ab6e994149

  • SHA512

    563c52167c62f899aa9fc21fdd961f91dce1cae1483424f0529491776e2aa932db760149e65daec0580eed1cbfd4cd0b00b3f478ff2767ccffa8e2ae593e6f42

  • SSDEEP

    3072:B1MSwNl8rmQwD0NaKt/cdtHXjbF1b8owf/2a1oBSKwj4QrousIODNtG:Yl6pwD0wKxcdtHXjIown2a1oB8USODNU

Score
10/10
redlinesectopratmaxexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

MAX

C2

maxwiz1221.duckdns.org:45867

Targets

    • Target

      new.ps1

    • Size

      242KB

    • MD5

      aa0d92ff6d6a1d18f6149f6d0ad03139

    • SHA1

      6a33134bf530a61b764bf2287baf8fd0aea603ab

    • SHA256

      f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f

    • SHA512

      4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3

    • SSDEEP

      3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

    Score
    10/10
    executionpersistenceredlinesectopratmaxinfostealerratspywaretrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks