redline | 0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c | Triage

Submit
Reports

Overview

overview

Static

static

3

0C7129CC87...B8.exe

windows7-x64

0C7129CC87...B8.exe

windows10-2004-x64

Sharing

General

Target

0C7129CC873A7AE0A20B38275F792EB8.exe
Size

125KB
Sample

240613-g8sylsxdne
MD5

0c7129cc873a7ae0a20b38275f792eb8
SHA1

d182944e585357d572ff7f04f31ea8cd633f7f83
SHA256

0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c
SHA512

9f5d5fb23d0efa317d321d6a37e24c6ee97005dd70ee8a2d7116ae94243e339a7fcbf5c41d7edda96bdda2042642a8ce03fdde53a6bf77c9dff358edb6109b16
SSDEEP

3072:/6V/R6cUvnDmwPU9101LS8U5wUBeixhRk+XbXT9PsHP:CNR6JPDmwPUbi05wYeH+XbZP2

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0C7129CC873A7AE0A20B38275F792EB8.exe

Resource

win7-20240221-en

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

0C7129CC873A7AE0A20B38275F792EB8.exe

Resource

win10v2004-20240508-en

redline sectoprat cheat execution infostealer rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

103.168.67.9:57395

Targets

- Target
  
  0C7129CC873A7AE0A20B38275F792EB8.exe
- Size
  
  125KB
- MD5
  
  0c7129cc873a7ae0a20b38275f792eb8
- SHA1
  
  d182944e585357d572ff7f04f31ea8cd633f7f83
- SHA256
  
  0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c
- SHA512
  
  9f5d5fb23d0efa317d321d6a37e24c6ee97005dd70ee8a2d7116ae94243e339a7fcbf5c41d7edda96bdda2042642a8ce03fdde53a6bf77c9dff358edb6109b16
- SSDEEP
  
  3072:/6V/R6cUvnDmwPU9101LS8U5wUBeixhRk+XbXT9PsHP:CNR6JPDmwPUbi05wYeH+XbZP2
Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

behavioral2

redlinesectopratcheatexecutioninfostealerrattrojan

© 2018-2024

Terms | Privacy