Overview

overview

10

Static

static

1

new.ps1

windows7-x64

6

new.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    new.zip

  • Size

    145KB

  • Sample

    240708-khymystbjd

  • MD5

    5910322e4f76a3188e557789303d96c0

  • SHA1

    21dd8f991d729a2ef3a741f00a970fd9ed519899

  • SHA256

    f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22

  • SHA512

    8436eeae959fc8b9b31603553c45d9f5612918e90b018b930227bcb532a666fdc6a6f93bb3682fdb14ed204141ebfe13c68b097720512f75cb448506b28da84f

  • SSDEEP

    3072:KDPTbRcwN2AjdSgupwlel3OtvRjbOzQn2GT+jswPLEz+2BY/Gy3NHLY3oFFqGwO+:UP/Rci2CtYwlw3OtvVwxPwaM0GoxY3EO

Score
10/10
redlinesectopratmaxexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

redline

Botnet

MAX

C2

maxwiz1221.duckdns.org:45867

Targets

    • Target

      new.ps1

    • Size

      242KB

    • MD5

      aa0d92ff6d6a1d18f6149f6d0ad03139

    • SHA1

      6a33134bf530a61b764bf2287baf8fd0aea603ab

    • SHA256

      f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f

    • SHA512

      4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3

    • SSDEEP

      3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

    Score
    10/10
    executionpersistenceredlinesectopratmaxinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks