redline | 7d27d6d1580326ac63d04df92ed0f054df38dae95f79fd88d62501ab6e994149 | Triage

Sharing

General

Target

new.zip
Size

145KB
Sample

240705-p5kf3a1ejc
MD5

2a42a28635f5e9ad7592845f1eaa0101
SHA1

6dea7043bf92a0763741328490ea49efe499a717
SHA256

7d27d6d1580326ac63d04df92ed0f054df38dae95f79fd88d62501ab6e994149
SHA512

563c52167c62f899aa9fc21fdd961f91dce1cae1483424f0529491776e2aa932db760149e65daec0580eed1cbfd4cd0b00b3f478ff2767ccffa8e2ae593e6f42
SSDEEP

3072:B1MSwNl8rmQwD0NaKt/cdtHXjbF1b8owf/2a1oBSKwj4QrousIODNtG:Yl6pwD0wKxcdtHXjIown2a1oB8USODNU

Score

10^/10

redline sectoprat max execution infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

MAX

C2

maxwiz1221.duckdns.org:45867

Targets

- Target
  
  new.ps1
- Size
  
  242KB
- MD5
  
  aa0d92ff6d6a1d18f6149f6d0ad03139
- SHA1
  
  6a33134bf530a61b764bf2287baf8fd0aea603ab
- SHA256
  
  f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f
- SHA512
  
  4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3
- SSDEEP
  
  3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG
Score

10^/10

execution persistence redline sectoprat max infostealer rat spyware trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

executionpersistence

behavioral2

redlinesectopratmaxexecutioninfostealerpersistenceratspywaretrojan