Extracted

• • Target

    35bc174139612d416a683cb302b450d21b1eb2a8cc23d0fb22d0152b35d585c6.exe

  • Size

    504KB

  • MD5

    568967433c84d1fd3068fae82d24d750

  • SHA1

    030204e478cd66d7234850d9ef95f9b52a2dc476

  • SHA256

    35bc174139612d416a683cb302b450d21b1eb2a8cc23d0fb22d0152b35d585c6

  • SHA512

    13481aee6d2fdc5666f4febfa33a370c8590bb712be6f75bf7d212e4041f0c625b2068aad1f265254a62c4408c04070f911d378a5014061aaccf9f8c9114db75

  • SSDEEP

    12288:VX0AXmuz7sdJoJmrTNj/RQI1UrYNw9KlRVjd1z+n/Xfu+XHTmyDLNkR:ZIXx/RQIq1olRVBcRXhD0

  Score

  10^/10

  redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

  • Detects executables packed with SmartAssembly

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2