redline | f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22 | Triage

Sharing

General

Target

f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22
Size

145KB
Sample

240708-kztekatgpa
MD5

5910322e4f76a3188e557789303d96c0
SHA1

21dd8f991d729a2ef3a741f00a970fd9ed519899
SHA256

f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22
SHA512

8436eeae959fc8b9b31603553c45d9f5612918e90b018b930227bcb532a666fdc6a6f93bb3682fdb14ed204141ebfe13c68b097720512f75cb448506b28da84f
SSDEEP

3072:KDPTbRcwN2AjdSgupwlel3OtvRjbOzQn2GT+jswPLEz+2BY/Gy3NHLY3oFFqGwO+:UP/Rci2CtYwlw3OtvVwxPwaM0GoxY3EO

Score

10^/10

redline sectoprat max execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

MAX

C2

maxwiz1221.duckdns.org:45867

Targets

- Target
  
  new.ps1
- Size
  
  242KB
- MD5
  
  aa0d92ff6d6a1d18f6149f6d0ad03139
- SHA1
  
  6a33134bf530a61b764bf2287baf8fd0aea603ab
- SHA256
  
  f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f
- SHA512
  
  4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3
- SSDEEP
  
  3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG
Score

10^/10

execution persistence redline sectoprat max infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

executionpersistence

behavioral2

redlinesectopratmaxexecutioninfostealerpersistencerattrojan