Overview

overview

10

Static

static

1

26c199fee4...5a.exe

windows7-x64

10

26c199fee4...5a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    18da95aef5e992aacfe205534cb0b73c.bin

  • Size

    566KB

  • Sample

    240707-cs3ews1dqr

  • MD5

    7c2738a7f893cec2527156a56ec83a45

  • SHA1

    90b1b5e61c3f5ec57559c90243a1573eb89f9739

  • SHA256

    feec7c869b12ae05697e84d67b9dbbac3c4e3554a9d77bd498ce928a6f82d222

  • SHA512

    b730209e732fceee9f0f5e94278dc0075056bf27e36dd4da760f78834c7d2d6dc4a9b6aab2eac38cf2219e417c35ee3a6201d99c96ba97df85c3cc2f31bba830

  • SSDEEP

    12288:8jssE2qAR83K/IiNoJL7XvzJsS5A0erb+ta:8j1E2v865NorWx0eSa

Score
10/10
redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.124:55615

Targets

    • Target

      26c199fee4db63767ab6a7ca3b251ebaa3d8d08150d1aebef56546bdb5ea395a.exe

    • Size

      713KB

    • MD5

      18da95aef5e992aacfe205534cb0b73c

    • SHA1

      9ed5b6c676ffbde8b15779078e5d23e0bbebfed5

    • SHA256

      26c199fee4db63767ab6a7ca3b251ebaa3d8d08150d1aebef56546bdb5ea395a

    • SHA512

      4a0ab26d6f4f98550bc8b8ada81a5c0e4acf83b5603d23322126fc1bf1200913467460c411f0bc18d5bc45266b03e6033d75ae999c4ac32119d03128d7a4cf3e

    • SSDEEP

      12288:8xaE8GILjWLWgumApXye0917WKVpkQRPArxQbXStkR:dcuzTw17WKVpkQRPaxJw

    Score
    10/10
    redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks