redline | 6e4a44c3de0e80fecece030c2d219e2d20f8bb73366172533f62297d1d5b1d6c | Triage

Submit
Reports

Overview

overview

Static

static

1

ad86c5cb9f...0N.exe

windows7-x64

ad86c5cb9f...0N.exe

windows10-2004-x64

Sharing

General

Target

ad86c5cb9f936936ffbae85f43bf2a40N.exe
Size

797KB
Sample

240715-j1q56azale
MD5

ad86c5cb9f936936ffbae85f43bf2a40
SHA1

8c3916a0807b528dfbc52f2c7826d7e6cbc2320d
SHA256

6e4a44c3de0e80fecece030c2d219e2d20f8bb73366172533f62297d1d5b1d6c
SHA512

7ad6645e4c7365ead5ce38853e3002ad184e2f67604439f32be8c13217e5f5e5c9df68f568d2c6bb16ceb947b6ecb949fad95032fc770ef88be8f7e93efe7c93
SSDEEP

12288:hVVx0xC0+wZHVUXLCZLiF/d6/7iDlpOWphcotUTEvkR:TVxEC7wZ6cLiFa7YlpOqhcotUEq

Score

10^/10

redline sectoprat commanderking execution infostealer rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

ad86c5cb9f936936ffbae85f43bf2a40N.exe

Resource

win7-20240704-en

redline sectoprat commanderking execution infostealer rat trojan

windows7-x64

10 signatures

120 seconds

Behavioral task

behavioral2

Sample

ad86c5cb9f936936ffbae85f43bf2a40N.exe

Resource

win10v2004-20240709-en

redline sectoprat commanderking execution infostealer rat trojan

windows10-2004-x64

11 signatures

120 seconds

Malware Config

Extracted

Family

redline

Botnet

Commanderking

C2

185.216.70.15:65012

Targets

- Target
  
  ad86c5cb9f936936ffbae85f43bf2a40N.exe
- Size
  
  797KB
- MD5
  
  ad86c5cb9f936936ffbae85f43bf2a40
- SHA1
  
  8c3916a0807b528dfbc52f2c7826d7e6cbc2320d
- SHA256
  
  6e4a44c3de0e80fecece030c2d219e2d20f8bb73366172533f62297d1d5b1d6c
- SHA512
  
  7ad6645e4c7365ead5ce38853e3002ad184e2f67604439f32be8c13217e5f5e5c9df68f568d2c6bb16ceb947b6ecb949fad95032fc770ef88be8f7e93efe7c93
- SSDEEP
  
  12288:hVVx0xC0+wZHVUXLCZLiF/d6/7iDlpOWphcotUTEvkR:TVxEC7wZ6cLiFa7YlpOqhcotUEq
Score

10^/10

redline sectoprat commanderking execution infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectopratcommanderkingexecutioninfostealerrattrojan

behavioral2

redlinesectopratcommanderkingexecutioninfostealerrattrojan

© 2018-2024

Terms | Privacy