General

  • Target

    3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe

  • Size

    2.3MB

  • Sample

    241124-cl8nbsvmap

  • MD5

    730a8f0e0a80be36bf9ba0e6cc839e77

  • SHA1

    ceefe9311b024144e5ea3af32b4f33a48f90fa2f

  • SHA256

    3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31

  • SHA512

    c83849f9f8cf0407fbbe3f300660e907122f21bc3b554d1d372e2b408be3e9adb560e27b5fd8473abadb5bc8544a779f91d7437e1140cc1e8588773cc1a8c705

  • SSDEEP

    49152:y4XP96ykubgOg0ETAVlCOZ2vz9/HQi+Ty5:l9jbghcCi2vzxwi+Ty

Malware Config

Extracted

Family

redline

Botnet

iShop

C2

venom.underground-cheat.com:1337

Targets

    • Target

      3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe

    • Size

      2.3MB

    • MD5

      730a8f0e0a80be36bf9ba0e6cc839e77

    • SHA1

      ceefe9311b024144e5ea3af32b4f33a48f90fa2f

    • SHA256

      3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31

    • SHA512

      c83849f9f8cf0407fbbe3f300660e907122f21bc3b554d1d372e2b408be3e9adb560e27b5fd8473abadb5bc8544a779f91d7437e1140cc1e8588773cc1a8c705

    • SSDEEP

      49152:y4XP96ykubgOg0ETAVlCOZ2vz9/HQi+Ty5:l9jbghcCi2vzxwi+Ty

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks