General

  • Target

    3fb9c7fb6ce102e9e8f7eef037e9b0b120f69b5f4d3dbcf4ca84cba17f655ec8

  • Size

    95KB

  • Sample

    240820-pt6vxssaqe

  • MD5

    265b45d7a9d3f51b3b8512f3088c2e01

  • SHA1

    a3e8de6184f1e472d5a4f3deff5312bcc8674ad4

  • SHA256

    3fb9c7fb6ce102e9e8f7eef037e9b0b120f69b5f4d3dbcf4ca84cba17f655ec8

  • SHA512

    a98577273ab670d6bb646c08793fa813f0b0fe44099d0394477e6f56d93f393f2859ea4b027c9f92ffe2145bce5c5d62c2cb59d550a9d7d76102ea71e0e309ba

  • SSDEEP

    1536:Bqs+Wqm2lbG6jejoigI743Ywzi0Zb78ivombfexv0ujXyyed2s3teulgS6pUl:vZB+Y7+zi0ZbYe1g0ujyzdaU

Malware Config

Extracted

Family

redline

Botnet

Exodusmarket

C2

45.66.231.184:1334

Targets

    • Target

      3fb9c7fb6ce102e9e8f7eef037e9b0b120f69b5f4d3dbcf4ca84cba17f655ec8

    • Size

      95KB

    • MD5

      265b45d7a9d3f51b3b8512f3088c2e01

    • SHA1

      a3e8de6184f1e472d5a4f3deff5312bcc8674ad4

    • SHA256

      3fb9c7fb6ce102e9e8f7eef037e9b0b120f69b5f4d3dbcf4ca84cba17f655ec8

    • SHA512

      a98577273ab670d6bb646c08793fa813f0b0fe44099d0394477e6f56d93f393f2859ea4b027c9f92ffe2145bce5c5d62c2cb59d550a9d7d76102ea71e0e309ba

    • SSDEEP

      1536:Bqs+Wqm2lbG6jejoigI743Ywzi0Zb78ivombfexv0ujXyyed2s3teulgS6pUl:vZB+Y7+zi0ZbYe1g0ujyzdaU

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks