General

  • Target

    6923ea64d4bf71ccdaff7dfad093f120N.exe

  • Size

    647KB

  • Sample

    240801-mjsjfazhja

  • MD5

    6923ea64d4bf71ccdaff7dfad093f120

  • SHA1

    2953565b3c190b34da44b6ecfacb2be9529e5317

  • SHA256

    1d347d1d653653547112d9118d5346963bf78887f9f500c2598fd2f5d19700fa

  • SHA512

    982c9efe19014e246b75b43230ca6cd5e42c11d1b4757f0f2a114e9fea5fd8d9ef5e9bc1ab49958212ddc48fde64b830ef19911bcbbf892dbe76a657dc204944

  • SSDEEP

    12288:ISjofC1P1TAioAiXydFYdme2KE//r6J9VkgTJ73vmNlabHYk:Iq1VAiobydrr6ldj0o7

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.91:55615

Targets

    • Target

      6923ea64d4bf71ccdaff7dfad093f120N.exe

    • Size

      647KB

    • MD5

      6923ea64d4bf71ccdaff7dfad093f120

    • SHA1

      2953565b3c190b34da44b6ecfacb2be9529e5317

    • SHA256

      1d347d1d653653547112d9118d5346963bf78887f9f500c2598fd2f5d19700fa

    • SHA512

      982c9efe19014e246b75b43230ca6cd5e42c11d1b4757f0f2a114e9fea5fd8d9ef5e9bc1ab49958212ddc48fde64b830ef19911bcbbf892dbe76a657dc204944

    • SSDEEP

      12288:ISjofC1P1TAioAiXydFYdme2KE//r6J9VkgTJ73vmNlabHYk:Iq1VAiobydrr6ldj0o7

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks