redline | c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131 | Triage

Submit
Reports

Overview

overview

Static

static

1

c97a7970e2...31.exe

windows7-x64

9

c97a7970e2...31.exe

windows10-2004-x64

Sharing

General

Target

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
Size

507KB
Sample

240625-b89ngaxeqj
MD5

01403de5e5b173a6459964ebc76ea44c
SHA1

e0e0badffcd445fb5a9940d5d9894f9faf2d3c15
SHA256

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131
SHA512

497a95bc5175c83c2346b9359af4ffae020fdfc5adab9d1aa3df11e59bc53f8f6e830e3fe4a9a62d912242923dc9ace81390ecec0425b7d64538b5e07507b950
SSDEEP

12288:7CMEpyVZfUcyo/Bn8mjgjEGDa/jIsd2C6i1zkR:Ffp/B8NEGDIjJ6i1m

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe

Resource

win7-20240508-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe

Resource

win10v2004-20240611-en

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.70:55615

Targets

- Target
  
  c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
- Size
  
  507KB
- MD5
  
  01403de5e5b173a6459964ebc76ea44c
- SHA1
  
  e0e0badffcd445fb5a9940d5d9894f9faf2d3c15
- SHA256
  
  c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131
- SHA512
  
  497a95bc5175c83c2346b9359af4ffae020fdfc5adab9d1aa3df11e59bc53f8f6e830e3fe4a9a62d912242923dc9ace81390ecec0425b7d64538b5e07507b950
- SSDEEP
  
  12288:7CMEpyVZfUcyo/Bn8mjgjEGDa/jIsd2C6i1zkR:Ffp/B8NEGDIjJ6i1m
Score

10^/10

execution redline sectoprat cheat discovery infostealer rat spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects executables packed with SmartAssembly
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

© 2018-2024

Terms | Privacy