General

  • Target

    client (123).rar

  • Size

    563KB

  • Sample

    241003-wrglksyhjk

  • MD5

    2c362898a559baa5f9dc529fd52347df

  • SHA1

    4cadfe7bfca41e5eed7e139441087a460fdd23d2

  • SHA256

    66869eb13eb86da59ca5f6956e24a15608ece60e1c497fa8e0f57b4f55e868aa

  • SHA512

    60576f61e13aa98e82bb957ee832a9c7f8e1d6a90b8f139675d5aa00e50023fce40b55e6db41c7e9e763ce4c3bef5938f7296663f12e18501a377e43acea84fe

  • SSDEEP

    12288:xtx00ONR2iCF+tGozbAq/0oa9vSmo0sV64EzmajUZQjDsP+IVFL9/r+wTA:xb0PsiCot/r0RxSmzM6pjDsP+ALlrvA

Malware Config

Extracted

Family

redline

Botnet

cheat123

C2

194.11.246.68:45946

Targets

    • Target

      client.exe

    • Size

      1003KB

    • MD5

      7fcb9c36578d29b08c6d43252bff9823

    • SHA1

      b0348c70c402e1901f0b683cae55afa93952d4b2

    • SHA256

      96b6a2b45c02a74e5dcfd0b867fd3481f79d81510a9d15da8461291b468db484

    • SHA512

      6fac07edf55898b419ba73a2723fa547fcc75d9480dc22d0a67e407e71746ad16cd31e1c3b834ad9c06d789f047d57d4986c84b1b963727763e4128808bb299c

    • SSDEEP

      12288:r6Yo3OpHnvQoS7uwXMox9rqKiZDhYkS07bRKu0ZATyMw57+xvoKikpslraAD:Wz3MHn4o7wXZx9rQS0/QWziZaAD

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks