General

  • Target

    60a0a96914db4a17b095d08e300bf1a354228cc7591f0a90e5e765e48c30834a

  • Size

    465KB

  • Sample

    241108-rh1wmstenn

  • MD5

    f1ca23dbcd5f61d1dd5794a0d1016f97

  • SHA1

    3e84962c00b284632057521132fd2ac8a58d4373

  • SHA256

    60a0a96914db4a17b095d08e300bf1a354228cc7591f0a90e5e765e48c30834a

  • SHA512

    503134f0c3f51c837a5ef77c24239912996baf09e5468733fccacf454e0fdd28ab72db494813e7d5f72c2673a1341779839b0796315168b55deecafe8daa44e1

  • SSDEEP

    12288:q1C94ZEqbjSQvOplqrRfpZe/97e6RKJ2CTkl8rnYw5wqcB21rii:uC94ZZYErBze/5eGa2WRtwqcUF

Malware Config

Extracted

Family

redline

Botnet

bk

C2

212.192.246.222:11418

Targets

    • Target

      RQF #00811-AL WASL MACHINERY.exe

    • Size

      754KB

    • MD5

      0c2e3011179bd1933d70bd7a50946730

    • SHA1

      eaff2c6db824fbc5426db7b5df01449f5e991d7a

    • SHA256

      950b38612b5652e628dc6d55dffa1093dc4ed789d973be4278262d7257a8e81b

    • SHA512

      aaa5b53041ace4925778c526cd05bc3c3a308bde8d6462228c1033318b1b40c0df50173e7252c388019f898988771fee5349b52686822c3d388cf929e51e5ca6

    • SSDEEP

      12288:uoWHNszbQkYxUBLrOWsDlRERzEpb7NAVzErv0pdcCQ2/xEXmg:hWts+xcrOWsDlRswpb7UzET0NdEXmg

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks