redline | 927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2 | Triage

Submit
Reports

Overview

overview

Static

static

1

927e8668d7...2.docx

windows7-x64

927e8668d7...2.docx

windows10-2004-x64

1

Sharing

General

Target

927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2.doc
Size

16KB
Sample

240625-b2aksstdjh
MD5

9edc82805ecc2d30f07d99973883c3c6
SHA1

877fae637a454593a1b66bfede20356803833266
SHA256

927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2
SHA512

b24ed91e3f53fe2cfc0b0fdaebcd495cbc878507187a802ed019736be707d5d832f149360dba0cfd394df5e0406bd979fda5aff4357fe4e2bede514098fc8cf3
SSDEEP

384:tyXxo8qWds8PL8wi4OEwH8TIbE91r2fR3JYovij7XCnp:tcxIq5P3DOqnYJZ1vO7XCp

Score

10^/10

redline sectoprat wordfile infostealer rat spyware trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2.docx

Resource

win7-20240611-en

redline sectoprat wordfile infostealer rat spyware trojan upx

windows7-x64

28 signatures

150 seconds

Behavioral task

behavioral2

Sample

927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2.docx

Resource

win10v2004-20240611-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

wordfile

C2

185.38.142.10:7474

Targets

- Target
  
  927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2.doc
- Size
  
  16KB
- MD5
  
  9edc82805ecc2d30f07d99973883c3c6
- SHA1
  
  877fae637a454593a1b66bfede20356803833266
- SHA256
  
  927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2
- SHA512
  
  b24ed91e3f53fe2cfc0b0fdaebcd495cbc878507187a802ed019736be707d5d832f149360dba0cfd394df5e0406bd979fda5aff4357fe4e2bede514098fc8cf3
- SSDEEP
  
  384:tyXxo8qWds8PL8wi4OEwH8TIbE91r2fR3JYovij7XCnp:tcxIq5P3DOqnYJZ1vO7XCp
Score

10^/10

redline sectoprat wordfile infostealer rat spyware trojan upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- UPX dump on OEP (original entry point)
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectopratwordfileinfostealerratspywaretrojanupx

behavioral2

© 2018-2024

Terms | Privacy