redline | ac4283d5ba38427cde5ecf6a7dc14df49e6467a5e08dd6408f9b0894a04d4835 | Triage

Sharing

General

Target

ac4283d5ba38427cde5ecf6a7dc14df49e6467a5e08dd6408f9b0894a04d4835
Size

740KB
Sample

241107-hn19xsyapq
MD5

66161d71fe0fd2535941433e39fb8331
SHA1

675a86ba74609bd8dcdc38e347ea315f1215158a
SHA256

ac4283d5ba38427cde5ecf6a7dc14df49e6467a5e08dd6408f9b0894a04d4835
SHA512

35d46eda415dbb310dd6022e118c424d071b9760b732326a7392fbeec53e7a352d35c48e0f7edd17cd1bf936accb548b218a9dd2a6935b356d6cc0a38f716dcd
SSDEEP

12288:PIcC3JxJas93ZfsvBk07hj8fwwvLMeb0dlmHHuHoMMLm2r3JCLh:Ax5xcU9EGuhIfw5ebckOIr6kQh

Score

10^/10

redline sectoprat discovery infostealer rat trojan

Malware Config

Targets

- Target
  
  Kurome.Builder/Kurome.Builder.exe
- Size
  
  473KB
- MD5
  
  a2dea5e5eae84e32bc4dc3c6789d7939
- SHA1
  
  d31ec0c15ca50e4663b39be351c8562269a065b2
- SHA256
  
  c747032f12707103c70dccd112c51eacb8151e4b401a54a2b6fed2a4aad800bd
- SHA512
  
  60dd889f5c3ed3a3fc1e42cd072590eeb344e34d6a2a693d45cac51914b75f1bda8931c7025b2366f4cdc4ecdad1fc6bf77eb0daf43e551e2f795e6b9f44ae1a
- SSDEEP
  
  12288:D5Hisa3jCsD6y0ch0C3wwILMeKSdlKHHV:DhijmWHphX3wyeK6Y1
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Kurome.Builder/Mono.Cecil.Mdb.dll
- Size
  
  42KB
- MD5
  
  1c6aca0f1b1fa1661fc1e43c79334f7c
- SHA1
  
  ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d
- SHA256
  
  411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b
- SHA512
  
  1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76
- SSDEEP
  
  768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS
Score

1^/10
behavioral3 behavioral4
- Target
  
  Kurome.Builder/Mono.Cecil.Pdb.dll
- Size
  
  87KB
- MD5
  
  6d5eb860c2be5dbeb470e7d3f3e7dda4
- SHA1
  
  80c76660b87c52127b1a7da48e27700f75362041
- SHA256
  
  447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4
- SHA512
  
  64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5
- SSDEEP
  
  1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO
Score

1^/10
behavioral5 behavioral6
- Target
  
  Kurome.Builder/Mono.Cecil.Rocks.dll
- Size
  
  27KB
- MD5
  
  6e7f0f4fff6c49e3f66127c23b7f1a53
- SHA1
  
  14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a
- SHA256
  
  2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e
- SHA512
  
  0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e
- SSDEEP
  
  384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd
Score

1^/10
behavioral7 behavioral8
- Target
  
  Kurome.Builder/Mono.Cecil.dll
- Size
  
  350KB
- MD5
  
  de69bb29d6a9dfb615a90df3580d63b1
- SHA1
  
  74446b4dcc146ce61e5216bf7efac186adf7849b
- SHA256
  
  f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
- SHA512
  
  6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
- SSDEEP
  
  6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD
Score

1^/10
behavioral10 behavioral9
- Target
  
  Kurome.Builder/stub.dll
- Size
  
  96KB
- MD5
  
  625ed01fd1f2dc43b3c2492956fddc68
- SHA1
  
  48461ef33711d0080d7c520f79a0ec540bda6254
- SHA256
  
  6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b
- SHA512
  
  1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665
- SSDEEP
  
  1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl
Score

10^/10

redline sectoprat discovery infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

redlinesectoprat

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

redlinesectopratdiscoveryinfostealerrattrojan

behavioral12

redlinesectopratdiscoveryinfostealerrattrojan