Overview

overview

10

Static

static

3

3dca14e4e7...d5.exe

windows7-x64

10

3dca14e4e7...d5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3dca14e4e79017b9e684a751d4f59e04e9300352ecc669d7892e5a0ef241b4d5.exe

  • Size

    2.5MB

  • Sample

    240806-bylhwsvfln

  • MD5

    c7e4d5b46b0f99cbf31648c40a8b637b

  • SHA1

    466d84a802bbe2d1fb417b727504eb964f48cdc8

  • SHA256

    3dca14e4e79017b9e684a751d4f59e04e9300352ecc669d7892e5a0ef241b4d5

  • SHA512

    88038a6336885c6bbd1767aea16adcb482f6277ea0fbdfb27fc980af6fc1d7f06bf21e854daffb38a3d889a25da6f658b829bf5299ea0ad4c325d4b2e2c959fc

  • SSDEEP

    49152:0s5TnunM5LZ/DgOzsazGJ/CPum8J8yyyibW+qh3bheGAOYMbBwS:0KnuMFZ/DgOoaz7WdWyQbW+q5teabX

Score
10/10
redlinesectopratultimatecrackpackagilenetcredential_accessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

C2

51.83.170.23:16128

Targets

    • Target

      3dca14e4e79017b9e684a751d4f59e04e9300352ecc669d7892e5a0ef241b4d5.exe

    • Size

      2.5MB

    • MD5

      c7e4d5b46b0f99cbf31648c40a8b637b

    • SHA1

      466d84a802bbe2d1fb417b727504eb964f48cdc8

    • SHA256

      3dca14e4e79017b9e684a751d4f59e04e9300352ecc669d7892e5a0ef241b4d5

    • SHA512

      88038a6336885c6bbd1767aea16adcb482f6277ea0fbdfb27fc980af6fc1d7f06bf21e854daffb38a3d889a25da6f658b829bf5299ea0ad4c325d4b2e2c959fc

    • SSDEEP

      49152:0s5TnunM5LZ/DgOzsazGJ/CPum8J8yyyibW+qh3bheGAOYMbBwS:0KnuMFZ/DgOoaz7WdWyQbW+q5teabX

    Score
    10/10
    redlinesectopratultimatecrackpackagilenetcredential_accessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks