Overview

overview

10

Static

static

7

d3919ee38d...0N.exe

windows7-x64

d3919ee38d...0N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3919ee38d414995b5d77f76c9491b60N.exe

  • Size

    472KB

  • Sample

    240803-y2kr4ayeme

  • MD5

    d3919ee38d414995b5d77f76c9491b60

  • SHA1

    364e9d763ac8c80efd6c84b9d44dcf7e79c88f7b

  • SHA256

    5e84bae5696d65f852746a39416bbf77e4af9c42562c9b945e49fb79d7f36e27

  • SHA512

    904630adf00fad47f145964b4823dc843cb0430a55143f02d41130e05ed86e9233871c09a1cb1a242cac3242ed21e82c6398b2a2c5f85c9333093e2141893969

  • SSDEEP

    12288:7pxiviXZ2egclzBK6BJZpWskPhIMjluC61XAnc:txlXZ2egcbK6BlWlhxaH

Score
10/10
redlinesectopratsuccess-logscredential_accessdiscoveryexecutioninfostealerratspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

success-logs

C2

147.182.130.25:16383

Targets

    • Target

      d3919ee38d414995b5d77f76c9491b60N.exe

    • Size

      472KB

    • MD5

      d3919ee38d414995b5d77f76c9491b60

    • SHA1

      364e9d763ac8c80efd6c84b9d44dcf7e79c88f7b

    • SHA256

      5e84bae5696d65f852746a39416bbf77e4af9c42562c9b945e49fb79d7f36e27

    • SHA512

      904630adf00fad47f145964b4823dc843cb0430a55143f02d41130e05ed86e9233871c09a1cb1a242cac3242ed21e82c6398b2a2c5f85c9333093e2141893969

    • SSDEEP

      12288:7pxiviXZ2egclzBK6BJZpWskPhIMjluC61XAnc:txlXZ2egcbK6BlWlhxaH

    Score
    10/10
    redlinesectopratsuccess-logscredential_accessdiscoveryexecutioninfostealerratspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks