General

  • Target

    rRFQ-AlNASR-00388.exe

  • Size

    1.2MB

  • Sample

    240911-y292zs1bnm

  • MD5

    3061698f92d9687f0db272a011b7233a

  • SHA1

    c978701c0f44c0b6786db78260c4cbe7c26119b0

  • SHA256

    48c08ffb5d775cc658f104dc91f823ba5f718efa9baa0938f070f1b3f6941d77

  • SHA512

    b49bf3de441f1866a833330e8470c5ec0a47181ccac6d18743a1904b1f75515d7d8eb82324a91af61a5bf43ed42d49ef6fd4a8d11c2e586c14c0b096e36042b0

  • SSDEEP

    12288:xiGaMjooOgsixdY7ck4nZ2yGcPAk8drp5FF:LP5xdHJ2qVirXFF

Malware Config

Extracted

Family

redline

Botnet

lovato

C2

57.128.132.216:55123

Targets

    • Target

      rRFQ-AlNASR-00388.exe

    • Size

      1.2MB

    • MD5

      3061698f92d9687f0db272a011b7233a

    • SHA1

      c978701c0f44c0b6786db78260c4cbe7c26119b0

    • SHA256

      48c08ffb5d775cc658f104dc91f823ba5f718efa9baa0938f070f1b3f6941d77

    • SHA512

      b49bf3de441f1866a833330e8470c5ec0a47181ccac6d18743a1904b1f75515d7d8eb82324a91af61a5bf43ed42d49ef6fd4a8d11c2e586c14c0b096e36042b0

    • SSDEEP

      12288:xiGaMjooOgsixdY7ck4nZ2yGcPAk8drp5FF:LP5xdHJ2qVirXFF

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks