General

  • Target

    54c1096830b67cf30a00bc70736d1a0d331d75ad5a2c6f15415108c51e22f744

  • Size

    451KB

  • Sample

    240906-mngbza1fpj

  • MD5

    be932aa28d7a18ff0495a8c6846ff87b

  • SHA1

    df8e63e701449eba08d9da77578a3caa02566752

  • SHA256

    54c1096830b67cf30a00bc70736d1a0d331d75ad5a2c6f15415108c51e22f744

  • SHA512

    a5d4a2ea89adaae54af3da71d18ae5604abca2b503994e2c49141cba0212c169dee6e5bfc2a8be3a7f534124532e46d0933986fda3682f7dcd51c19b138ad644

  • SSDEEP

    12288:cjUTf6Kz0EE9fIhLvkggI/Y9UHD/Eqw3iBONo6zk:cjUTiKlE90km/Y9UjcDoAk

Malware Config

Extracted

Family

redline

Botnet

lovato

C2

57.128.132.216:55123

Targets

    • Target

      RFQ-Al NASR-00388.exe

    • Size

      1.2MB

    • MD5

      3061698f92d9687f0db272a011b7233a

    • SHA1

      c978701c0f44c0b6786db78260c4cbe7c26119b0

    • SHA256

      48c08ffb5d775cc658f104dc91f823ba5f718efa9baa0938f070f1b3f6941d77

    • SHA512

      b49bf3de441f1866a833330e8470c5ec0a47181ccac6d18743a1904b1f75515d7d8eb82324a91af61a5bf43ed42d49ef6fd4a8d11c2e586c14c0b096e36042b0

    • SSDEEP

      12288:xiGaMjooOgsixdY7ck4nZ2yGcPAk8drp5FF:LP5xdHJ2qVirXFF

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks