redline

Sharing

Copy URL

Twitter E-mail

General

Target

TokenGrabber.zip
Size

4.2MB
Sample

240805-1zd8mstemf
MD5

e88d1825e4986a478090a8ad32f37bbd
SHA1

0d46c03a44febdfb6105ae6aab9a03728522912f
SHA256

f4d4a93ecb36d9fab1a2682546bac78f2f9a407ae4a26449e90e5a3dc1051628
SHA512

1624c8ca0e8ac1b51e4bc0d3dfc60a8e9d2193e71b5b3bab28823659582c093840524e98ee016e5e36b38cac1d2e8a081964e1467d90d875ec9f65fd8000113f
SSDEEP

98304:TVZW3NAlhbkwyYQLxig4O/ejs17Z7fbTiWcnBLUwzUbvUf4JlreCWtK/7dW1J:TVZQN6dkwyX4Oj7bToBhqTlrjWkU1J

Score

10^/10

Malware Config

Targets

- Target
  
  TokenGrabber.zip
- Size
  
  4.2MB
- MD5
  
  e88d1825e4986a478090a8ad32f37bbd
- SHA1
  
  0d46c03a44febdfb6105ae6aab9a03728522912f
- SHA256
  
  f4d4a93ecb36d9fab1a2682546bac78f2f9a407ae4a26449e90e5a3dc1051628
- SHA512
  
  1624c8ca0e8ac1b51e4bc0d3dfc60a8e9d2193e71b5b3bab28823659582c093840524e98ee016e5e36b38cac1d2e8a081964e1467d90d875ec9f65fd8000113f
- SSDEEP
  
  98304:TVZW3NAlhbkwyYQLxig4O/ejs17Z7fbTiWcnBLUwzUbvUf4JlreCWtK/7dW1J:TVZQN6dkwyX4Oj7bToBhqTlrjWkU1J
Score

1^/10
behavioral1 behavioral2
- Target
  
  DControl/Defender_Settings.vbs
- Size
  
  313B
- MD5
  
  b0bf0a477bcca312021177572311e666
- SHA1
  
  ea77332d7779938ae8e92ad35d6dea4f4be37a92
- SHA256
  
  af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
- SHA512
  
  09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
Score

3^/10
behavioral3 behavioral4
- Target
  
  DControl/ReadMe.txt
- Size
  
  2KB
- MD5
  
  8dbe87a9bf6342c4e2ea406fa86e76bb
- SHA1
  
  35fe083b3f5793fe1b803d091262e4dee2cd0c4d
- SHA256
  
  d3b0219253a58ccb394559751299bd16dba1120e02cb11571c3b6a085b1027f8
- SHA512
  
  3fca076f1c6fe286bef4d211fad2643e2c2e426d75e665c1a1c8dd241689fbd3911544b90f65e0b2ab25ce0ff63fc5520684ff7c1c2fb71be9cda6359a8b1c8e
Score

1^/10
behavioral5 behavioral6
- Target
  
  DControl/dControl.exe
- Size
  
  447KB
- MD5
  
  58008524a6473bdf86c1040a9a9e39c3
- SHA1
  
  cb704d2e8df80fd3500a5b817966dc262d80ddb8
- SHA256
  
  1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- SHA512
  
  8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
- SSDEEP
  
  6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Score

7^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral7 behavioral8
- Target
  
  out.upx
- Size
  
  653KB
- MD5
  
  6970ea0b6597dcd5b4f5f19f28e958a8
- SHA1
  
  a0130bb7ac03ec4799c90781ca93fd1392c6d54c
- SHA256
  
  481e03978ca339ce697252895efe89b09fefd3098ad247d24eeb6cca9969f553
- SHA512
  
  bc95cbe9a050e3d3b713745ef399bf2817d38f8e019f6edffdd2bf755badbde766e434e39a7f32356125bba0692b694c18da8dd0762aac0c9430d45acb215e01
- SSDEEP
  
  12288:nkxDoouVA2nxKkhEvdRgQriDJOIlW+yBGQowlNCWS:RRmJkioQrilOIc+yMx
Score

1^/10
behavioral10 behavioral9
- Target
  
  DControl/dControl.ini
- Size
  
  85KB
- MD5
  
  05450ff06366ae22654b63a6e27d1624
- SHA1
  
  11453c370f41287fb6339e509bb9d3c91842b379
- SHA256
  
  8e9a84da243905685ca77b6ef71841e610b88b7963d4de59f6dcbdd1621ecacd
- SHA512
  
  ee0a9605b566aa89c8c9b260e1d9c15aecbd6cddc2df47fe24ef2cafbe8923b3e025bd5cd3d34499292589a3c094dd796ab4560c8099bad2051a54928c37b4b2
- SSDEEP
  
  768:i/G+NmPfjsxaxdk2akexodULxEQq1wIgC+AEbSr6:1+NyjsxkKdkJdULgbWSO
Score

1^/10
behavioral11 behavioral12
- Target
  
  Grabber Builder/GrabberBuilder.exe
- Size
  
  3.4MB
- MD5
  
  fb7b19adc02c514e4e396b0184fe4d5b
- SHA1
  
  7067272c1aa7dcb9cbe37699da88e18ddcd4e616
- SHA256
  
  56f44437618196097836457153108f24370c94cad2f078076e96221797ddff10
- SHA512
  
  5df96dabef422b22d54a884289b80d028c8cc0d5cf095d032d5126002c04e826090f61ed549d800a28945f7afcbd7c74debcd65948de01b12463127d1750bc40
- SSDEEP
  
  98304:pcO+IuSn/xejlEvsJyrNyPL3Prc/BJUvju+wp:tZr/2xyUPLYZJU6
Score

10^/10

redline sectoprat credential_access discovery evasion infostealer rat spyware stealer themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  Grabber Builder/MetroFramework.Fonts.dll
- Size
  
  656KB
- MD5
  
  612080028164b12939751dcccbb68d4a
- SHA1
  
  db066593c63d2eff41a5af1b49a3e098b60e0013
- SHA256
  
  e96030fddaf7e78401567ee82480ad75ee48d3556199a3f85c0ec669edac2ef4
- SHA512
  
  1879c960e27e32941c0c992b84803e7a1f8d243bfc88d17d3d32baca772290b9ea60a6ea90d53170be3bf7f0a58fe71ec901dc66aa560b4bf68b1da56c09fe18
- SSDEEP
  
  12288:H+/9JcJlYqCNktA+SXfGpq2fHowSqCNktA+SXfvJR9FrIJJaqCNktA+SXfUC:H+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJw
Score

1^/10
behavioral15 behavioral16
- Target
  
  Grabber Builder/MetroFramework.dll
- Size
  
  149KB
- MD5
  
  44538b311e9ec2bcf0a6452702628d99
- SHA1
  
  da67301539903775708e9ec913654851e9e8eade
- SHA256
  
  baf326f52d39155d722465947f4cc67e6e90cfd0f89954eab959568e9bc342aa
- SHA512
  
  b65e3bc1c0f7b4c8f778cf52a36d628301d60aab53fdaf0355163e4865bc3d3adbf8870bb6cefc604708fdf2c0e72258eaf2fe301d524af2f77bc08014c9610a
- SSDEEP
  
  3072:LU0T+erz8jYxYg5lzrPHlMUzxXd4kRZPI9q:vT+erz8jYxYgv/lxXGWPS
Score

1^/10
behavioral17 behavioral18
- Target
  
  Password.txt
- Size
  
  4B
- MD5
  
  81dc9bdb52d04dc20036dbd8313ed055
- SHA1
  
  7110eda4d09e062aa5e4a390b0a572ac0d2c0220
- SHA256
  
  03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
- SHA512
  
  d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db
Score

1^/10
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

UPX packed file

AutoIT Executable

SectopRAT

SectopRAT payload

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20