Extracted

• • Target

    66fcfbb25cb0e50b4cd85852ef21ddbf36e4c19a36cffef9e5f3e22c04b4290f.exe

  • Size

    505KB

  • MD5

    47278783745b4d089155c06c75a660fb

  • SHA1

    d79a6323b88953da2a794e76cb80c855f6bbedc9

  • SHA256

    66fcfbb25cb0e50b4cd85852ef21ddbf36e4c19a36cffef9e5f3e22c04b4290f

  • SHA512

    0d26598b717cac1b8de6432ed6c933b85b36da06cbaf2ddc06d52f7bb80dcb931850a18c6c87c02b173c024be60b4a9c83573c9368fea3ac482e2325f390c777

  • SSDEEP

    12288:zhMnv8pgJhX7ZspQ6Izq08jG5iBk8BJAzlHJkR:S7H7zq1jGUFBepU

  Score

  10^/10

  redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2