General
-
Target
27072024_0149_26072024_FORMULARUL DE ACTIVARE.tar
-
Size
480KB
-
Sample
240727-b8tx1syhnr
-
MD5
95a0aad80e21b5d9a6263162b1865105
-
SHA1
8861b8775e70988b84d7368c9215e069b374d749
-
SHA256
c0be8f6538e1b1ff5376dc4a9a16d3d820503fd2d8a424c08eb10ffbd73ca67f
-
SHA512
60bdb68365cd2d5bc9ae1db179289e664baf4f6561797ebc8a7942934e1b5da406f19723a6beae5430663ff6863948004b00aba07bf99a787f7969a21bc1e2fa
-
SSDEEP
6144:kJmmHa7vdq7TyaCtwX7YPhyqQchG5hQd1F1AHk+Kjn4HsRKqhPazezY5mWK:ktHabdqKaEpyqihQ3F1Ek+KD8WKct
Static task
static1
Behavioral task
behavioral1
Sample
FORMULARUL DE ACTIVARE.exe
Resource
win7-20240704-en
Malware Config
Extracted
redline
cetry
204.14.75.2:16383
Targets
-
-
Target
FORMULARUL DE ACTIVARE.exe
-
Size
472KB
-
MD5
4a24e93cf23bbd3fd26fb67c783abfa2
-
SHA1
4176e3c95eaefbf663f2c4fa4825db5a5850cd6c
-
SHA256
644eb8cbaf868650bc2edcba4bd7c20f84332631a68cdd499d04705867f69a5e
-
SHA512
25eddb7295cfbb825312e0df88b34c786b9c3c7aa84341a0463d30ce826b004fe0d3fdda5b9008f87752e576137f67c88f38be080b8e9a28faacf7ea6cb32ae3
-
SSDEEP
6144:1JmmHa7vdq7TyaCtwX7YPhyqQchG5hQd1F1AHk+Kjn4HsRKqhPazezY5mWK:1tHabdqKaEpyqihQ3F1Ek+KD8WKct
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2