Overview

overview

10

Static

static

3

Lucky SkinChanger.exe

windows7-x64

6

Lucky SkinChanger.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cb5f60fd3321001da79d29966103a6987a6540e

  • Size

    1.8MB

  • Sample

    241109-t7gkea1laj

  • MD5

    2d2a51e73f7d6ead1dcf6f3945e61edc

  • SHA1

    3cb5f60fd3321001da79d29966103a6987a6540e

  • SHA256

    c322a19f7b453ed4b9b03817eedc08e88cd8858fd19de799da20603b2d8f5b90

  • SHA512

    c39b6a1ed6d8aeb16eb1633321f9fbab0da3e7e1dd1c6beb576be2b3bf1cadad321fa2b5a3b099e692a6643e957a78f2b0ed32cc6e39ccf2418e6b2dbeeb8fc1

  • SSDEEP

    49152:gDWuyi+5LLa5cJhALef+GYGylsiaAHJNOA8ae:6u5LLau6e2Gvylsi1pNe9

Score
10/10
redlinesectopratsapphirediscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Targets

    • Target

      Lucky SkinChanger.exe

    • Size

      2.1MB

    • MD5

      795a68d97113af5bfe54e3b0250ee2d4

    • SHA1

      65d1bd69f7fb761ffe0831548b41af9d107692db

    • SHA256

      1800e21eac1384cd70ce9edc4b58301eb632eb01489481034a3cd292314dc9ff

    • SHA512

      b87ecd159a781b83fb1e59c6e2aa372f364047832081920c2f8cb1699793536066b5e9150ec447dc280540bb5032aca5da0a1302892d561820009f95ae747990

    • SSDEEP

      49152:RL1bLMB4ZrlZ/TZGvyAmbJKHo54cl8LH+tkWJ0X4:PLFZz/taAEjcmHgkWJ0X

    Score
    10/10
    redlinesectopratsapphirediscoveryinfostealerratspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks