Extracted

• • Target

    FORMULARUL DE ACTIVARE.exe

  • Size

    472KB

  • MD5

    4a24e93cf23bbd3fd26fb67c783abfa2

  • SHA1

    4176e3c95eaefbf663f2c4fa4825db5a5850cd6c

  • SHA256

    644eb8cbaf868650bc2edcba4bd7c20f84332631a68cdd499d04705867f69a5e

  • SHA512

    25eddb7295cfbb825312e0df88b34c786b9c3c7aa84341a0463d30ce826b004fe0d3fdda5b9008f87752e576137f67c88f38be080b8e9a28faacf7ea6cb32ae3

  • SSDEEP

    6144:1JmmHa7vdq7TyaCtwX7YPhyqQchG5hQd1F1AHk+Kjn4HsRKqhPazezY5mWK:1tHabdqKaEpyqihQ3F1Ek+KD8WKct

  Score

  10^/10

  redlinesectopratcetrycredential_accessdiscoveryexecutioninfostealerratspywarestealertrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2