redline | 5e8c7441a376ddad324526a589ee115aed949d6b3ec4c443e44ba758b38325e4 | Triage

Submit
Reports

Overview

overview

Static

static

3

6.exe

windows7-x64

6.exe

windows10-2004-x64

Sharing

General

Target

6.exe
Size

2.6MB
Sample

240705-rgjwqsscpg
MD5

908d3656bb401fd8c4cf83d3bd39f19e
SHA1

7cc3652b2064490586b9525f4126e725c5ab878e
SHA256

5e8c7441a376ddad324526a589ee115aed949d6b3ec4c443e44ba758b38325e4
SHA512

37dfd062ec619ac8c8f0f3b89674b3b382950ca7f616e3265f42f6fb81bc407423221351d682bc3010f2b214e2d7c6b60a5b340269278fffc3843eae9bbc80c7
SSDEEP

12288:qI5OHqTR956eJKB1ROcXehK7X7wh0+iEm5wm:q1GRj6RMHU7qqwm

Score

10^/10

redline sectoprat halle evasion execution infostealer rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6.exe

Resource

win7-20240704-en

redline sectoprat halle evasion execution infostealer rat spyware trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

6.exe

Resource

win10v2004-20240704-en

redline sectoprat halle evasion execution infostealer rat spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

halle

C2

194.55.186.180:55123

Targets

- Target
  
  6.exe
- Size
  
  2.6MB
- MD5
  
  908d3656bb401fd8c4cf83d3bd39f19e
- SHA1
  
  7cc3652b2064490586b9525f4126e725c5ab878e
- SHA256
  
  5e8c7441a376ddad324526a589ee115aed949d6b3ec4c443e44ba758b38325e4
- SHA512
  
  37dfd062ec619ac8c8f0f3b89674b3b382950ca7f616e3265f42f6fb81bc407423221351d682bc3010f2b214e2d7c6b60a5b340269278fffc3843eae9bbc80c7
- SSDEEP
  
  12288:qI5OHqTR956eJKB1ROcXehK7X7wh0+iEm5wm:q1GRj6RMHU7qqwm
Score

10^/10

redline sectoprat halle evasion execution infostealer rat spyware trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectoprathalleevasionexecutioninfostealerratspywaretrojan

behavioral2

redlinesectoprathalleevasionexecutioninfostealerratspywaretrojan

© 2018-2024

Terms | Privacy