redline | 4815528e2ce6e19bd348bdb89dd59ccc8d2b5dd6432074daa92e86f45f4a5604 | Triage

Submit
Reports

Overview

overview

Static

static

3

0097-CGM C....A.exe

windows7-x64

0097-CGM C....A.exe

windows10-2004-x64

Sharing

General

Target

0097-CGM CIGIEMME S.p.A.exe
Size

3.1MB
Sample

240703-mhlz9sscjk
MD5

a1dee348cae0e72e34756c1af67a1ee3
SHA1

c1762e92c78d384273df732e0480bdc00602befe
SHA256

4815528e2ce6e19bd348bdb89dd59ccc8d2b5dd6432074daa92e86f45f4a5604
SHA512

c7235d1eb1ff5a3b2f26462eb93bf8a6f5968de06cd8c8909341522028b7670c1534d00e5a46378c96933569665c7e88a7e4692fc52fbdd70a512e4dd9e5f9b1
SSDEEP

12288:NNjXXcgKOAjxi0eF50N8y8kWtJJsn4VxSHunc:HHctOmBQKn6EOc

Score

10^/10

redline sectoprat halle evasion execution infostealer rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0097-CGM CIGIEMME S.p.A.exe

Resource

win7-20240508-en

redline sectoprat halle evasion execution infostealer rat spyware trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

0097-CGM CIGIEMME S.p.A.exe

Resource

win10v2004-20240508-en

redline sectoprat halle evasion execution infostealer rat spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

halle

C2

194.55.186.180:55123

Targets

- Target
  
  0097-CGM CIGIEMME S.p.A.exe
- Size
  
  3.1MB
- MD5
  
  a1dee348cae0e72e34756c1af67a1ee3
- SHA1
  
  c1762e92c78d384273df732e0480bdc00602befe
- SHA256
  
  4815528e2ce6e19bd348bdb89dd59ccc8d2b5dd6432074daa92e86f45f4a5604
- SHA512
  
  c7235d1eb1ff5a3b2f26462eb93bf8a6f5968de06cd8c8909341522028b7670c1534d00e5a46378c96933569665c7e88a7e4692fc52fbdd70a512e4dd9e5f9b1
- SSDEEP
  
  12288:NNjXXcgKOAjxi0eF50N8y8kWtJJsn4VxSHunc:HHctOmBQKn6EOc
Score

10^/10

redline sectoprat halle evasion execution infostealer rat spyware trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectoprathalleevasionexecutioninfostealerratspywaretrojan

behavioral2

redlinesectoprathalleevasionexecutioninfostealerratspywaretrojan

© 2018-2024

Terms | Privacy