Multiple Malware Dropped Through MSI Package

Aug. 14, 2024, 11:44 a.m.

Description

An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-control servers located in Russia. The investigation underscores the importance of exercising caution when dealing with untrusted software packages.

External References

https://isc.sans.edu/diary/rss/31168
https://otx.alienvault.com/pulse/66bc91ace814e6438f780ac4
Tags
powershell
stealer
persistence
dropper
redline
c2
2024-08-14
sectoprat

Date

  • Created: Aug. 14, 2024, 11:14 a.m.
  • Published: Aug. 14, 2024, 11:14 a.m.
  • Modified: Aug. 14, 2024, 11:44 a.m.

Indicators

  • 7808f3aea222cdbec2e53b126f46195f4523e9501882b94e0cd42e30f8484f32
  • 69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38
  • 38c233b38ef1838666ce7204f41349d0ba9431ea4b23fdb05f915cc7a09ff7be
  • 193.3.19.108
  • 83.97.73.190
  • 213.109.202.229
  • http://83.97.73.190:4819
  • http://193.3.19.108/bart.jpg
  • http://213.109.202.229:9000/wbinjget?q=6DDE74FFD397B5FB346F9CA050F6095C
  • http://193.3.19.108/Meta.jpg.
  • filemanaager.net
Download all indicators here!

Attack Patterns

  • SectopRAT
  • Redline
  • T1569.002
  • T1053.005
  • T1037
  • T1064
  • T1059.005
  • T1059.003
  • T1059.001
  • T1059.007
  • T1219
  • T1036
  • T1027
  • T1112

Additional Informations

  • Russian Federation