General

  • Target

    e8085ecf7923f4244540ba7ca37cdfcd25d85626ef5146e1fe9874fcb2b3eefc.zip

  • Size

    507KB

  • Sample

    241003-crangszbpj

  • MD5

    9d35d32867eaadf6843a747136520684

  • SHA1

    ddc42cb45f4176d0f29827eedf68d852e7d482c6

  • SHA256

    e8085ecf7923f4244540ba7ca37cdfcd25d85626ef5146e1fe9874fcb2b3eefc

  • SHA512

    9771cc69d24c631c92aeeee3d1bef9562c20bbaf13ba62d79277e962d42e99f873e616f0e126ce74ed4257dc6cae01821e243315cb88787e1f090ab2d860c9d0

  • SSDEEP

    12288:RtHcmbJoWdQL9PV/9CPZVNMrHFSEmoYT1YixP:Pcm9oWdQp99CxVNMrHFJ1ixP

Malware Config

Extracted

Family

redline

Botnet

success-logs

C2

147.182.130.25:16383

Targets

    • Target

      QB0r4QtlrplEWdQ.exe

    • Size

      617KB

    • MD5

      fcc14969210d92d91800ce025b075381

    • SHA1

      c233d2ba3d3367b96e5b14b94f14b4c88b001390

    • SHA256

      0e1fb62097c161842c8ff7fd63904b00d0403a1cfffb961c1f1130f009bffcfb

    • SHA512

      34a04239e3d300037a88331e71919b4a5cf4d0ba7dfb31f61847d6671b6388589c0ba36f8f12546d8d0ff1fb2b5a39a72e777a6b9e868eb3cd0648bb58c829d3

    • SSDEEP

      12288:A1ZF8KZ3TdIz/yd0GNCtCPNV/MrH5SEqwdIZrjBh4:Aypz/EBotC1V/MrH5JqSIZnX

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks