redline

Sharing

General

Target

1740044424dee02f4c88b2cf3b9190061efdf7642e90b7a0d6706f2a982b771a
Size

789KB
Sample

241105-lcxddaycke
MD5

e3e1014dac8132ef3a8ff2a7c28dd504
SHA1

b3dac8b4498eca6d95837ec9916590b217e57b89
SHA256

1740044424dee02f4c88b2cf3b9190061efdf7642e90b7a0d6706f2a982b771a
SHA512

eaef5414899d55277f9ef94ff02f5ab17a71254aa3ac40680ecb25e971ff06d347bd1cc077bc13130fab1f267a6a1bbac9667ee4c3b0b859160ae368d33ec62b
SSDEEP

24576:bZl61V7JlBUrOYm9Ti5Dp05ugRjPgCvCJ:bZgV7JHGOYP0ugiJ

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

rich

95.217.248.44:11695

Extracted

Family

redline

Botnet

boss12

109.248.201.150:63757

Extracted

Family

redline

Botnet

@unityy1

185.250.206.82:21330

Extracted

Family

redline

Botnet

Cryptex0816

185.92.73.140:80

Targets

- Target
  
  Installer.exe
- Size
  
  418KB
- MD5
  
  84515ba27617fd0d6e6e61343c82ee56
- SHA1
  
  341ab08a1b2d951080f89db0ffb49a455d86d6c0
- SHA256
  
  6c82b47b3f2704735dc371304a37a9f57a8949c1367e027445fa277a948b0875
- SHA512
  
  ae04da3d9c3c2b6c7bbc7fe6c5b9b524bf1547b940c7c5990e0554da1e4ba6673f2ec92cd689f384e9333e97dacaa6a39bcc4a7f62e7069259b4c95dd9a33668
- SSDEEP
  
  6144:1KPCSvTvKhXQsutR5IXdoF+r2I1Fyjbl66A93LnYDttxU7Uu68ksVii:1BSvTkAXtvldA93LYzxOd69
Score

10^/10

defense_evasion discovery evasion execution privilege_escalation trojan redline sectoprat rich infostealer rat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Minecraft_v2.2.exe
- Size
  
  815KB
- MD5
  
  8bcfb9320a0570d0f84273d298a268ab
- SHA1
  
  63f51886a52e54ae549ea720164396c2d9e07812
- SHA256
  
  5471c7d3aa5ad7016fb59b9bbef2328ff1397dd70ec8ad213a8ff598c5fce8cc
- SHA512
  
  60388b36d6ea3622fe40a2d76a45bdbace5d577742e03bfbf68b211faa3a9ff6efeae9c886cc2aa287d35284cedca56321ab315e3114b908d1dae1fffb767513
- SSDEEP
  
  6144:OXW9Zx9m/w3T+Z3RrCd40jsPV0mg0ykNbUkxChx4IQq14WT:OG9ZxJD+n2/wIlkqkxChx4Iz4WT
Score

10^/10

redline sectoprat boss12 discovery infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Setup.exe
- Size
  
  588KB
- MD5
  
  4df8dd40cea92fc437fbff1e6b1595ab
- SHA1
  
  19403b5800caa8d964dea24f81426d2a7f8e24b1
- SHA256
  
  409f15acc9e425d5f0cd8f1c6820b44067b5628c60a3a58114db3abf1196215b
- SHA512
  
  d961659b5b59d6e3f150f76b87e406597b7e9e6554ce6c2645e02e4dcfd5bbda01d2696be580456b9eb7e2ff7f3c07cbb8f78d3c0852ab44456c39ca7fe4f1da
- SSDEEP
  
  12288:akIrKG5eA1GoYqqbnIXWkvmc7Ln9VWbO/cp:arKg136
Score

10^/10

redline sectoprat @unityy1 discovery infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Setups.exe
- Size
  
  216KB
- MD5
  
  571ec37bbc0a7b94c3a3829ee47e5bad
- SHA1
  
  ef44ce30e13c73e4b07e3067b1e2107fe8948d8b
- SHA256
  
  459a684a6e6299ffbd967855a504ff2311cba4a8eccae192b1f4146cc3bf7382
- SHA512
  
  6a9d95f3d47f1e2ef45db236efbb8bc265fdfb9979163c6e7d2f51fb204be4930fe06b1ba63047482b7c9f34d7cb72106178484fead7f332abea22d733aa84b6
- SSDEEP
  
  3072:ktHnC1FHiLW9Oxi8uFbNUaBAICgV04WEyF5uXa0ToO/wumRE6Q14vmOw38a9Mm:kkmLBxczCmJyTu3p9OQ1qoYm
Score

10^/10

redline sectoprat cryptex0816 discovery infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Turns off Windows Defender SpyNet reporting

Windows security bypass

Detected Nirsoft tools

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Suspicious use of SetThreadContext

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Suspicious use of SetThreadContext

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Suspicious use of SetThreadContext

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8