General

  • Target

    RFQ-Al NASR-00388.exe

  • Size

    1.3MB

  • Sample

    240912-glathsthrc

  • MD5

    f5745634275b611f237d16d9dbf62f94

  • SHA1

    ca7a5863a0d7a3bdf2e17bf4bf1f7fb1ea7937c0

  • SHA256

    24985d941556f95dd3a91d2451d11d91af5633f618cd49a6a4ae31ece2dce41e

  • SHA512

    3a5ca85ab5bcdfc94d7e69dd71bea474bfc9c5f0c68056c3be5c2d53136799f7d44ae682f7021a37e297279ea718aae0ed33c80fbee0331ebb70a2e30f28b915

  • SSDEEP

    12288:aHuIbOgDfCNguCoTPtYhxL9xpVNscBOPIfW:CVaNgCrihFpNsPIe

Malware Config

Extracted

Family

redline

Botnet

lovato

C2

57.128.132.216:55123

Targets

    • Target

      RFQ-Al NASR-00388.exe

    • Size

      1.3MB

    • MD5

      f5745634275b611f237d16d9dbf62f94

    • SHA1

      ca7a5863a0d7a3bdf2e17bf4bf1f7fb1ea7937c0

    • SHA256

      24985d941556f95dd3a91d2451d11d91af5633f618cd49a6a4ae31ece2dce41e

    • SHA512

      3a5ca85ab5bcdfc94d7e69dd71bea474bfc9c5f0c68056c3be5c2d53136799f7d44ae682f7021a37e297279ea718aae0ed33c80fbee0331ebb70a2e30f28b915

    • SSDEEP

      12288:aHuIbOgDfCNguCoTPtYhxL9xpVNscBOPIfW:CVaNgCrihFpNsPIe

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks