redline | f4d4a93ecb36d9fab1a2682546bac78f2f9a407ae4a26449e90e5a3dc1051628 | Triage

Submit
Reports

Overview

overview

Static

static

1

TokenGrabber.zip

windows11-21h2-x64

Sharing

General

Target

TokenGrabber.zip
Size

4.2MB
Sample

240730-3y6bvawbrm
MD5

e88d1825e4986a478090a8ad32f37bbd
SHA1

0d46c03a44febdfb6105ae6aab9a03728522912f
SHA256

f4d4a93ecb36d9fab1a2682546bac78f2f9a407ae4a26449e90e5a3dc1051628
SHA512

1624c8ca0e8ac1b51e4bc0d3dfc60a8e9d2193e71b5b3bab28823659582c093840524e98ee016e5e36b38cac1d2e8a081964e1467d90d875ec9f65fd8000113f
SSDEEP

98304:TVZW3NAlhbkwyYQLxig4O/ejs17Z7fbTiWcnBLUwzUbvUf4JlreCWtK/7dW1J:TVZQN6dkwyX4Oj7bToBhqTlrjWkU1J

Score

10^/10

redline sectoprat credential_access discovery evasion infostealer rat spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

TokenGrabber.zip

Resource

win11-20240730-en

redline sectoprat credential_access discovery evasion infostealer rat spyware stealer themida trojan

windows11-21h2-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  TokenGrabber.zip
- Size
  
  4.2MB
- MD5
  
  e88d1825e4986a478090a8ad32f37bbd
- SHA1
  
  0d46c03a44febdfb6105ae6aab9a03728522912f
- SHA256
  
  f4d4a93ecb36d9fab1a2682546bac78f2f9a407ae4a26449e90e5a3dc1051628
- SHA512
  
  1624c8ca0e8ac1b51e4bc0d3dfc60a8e9d2193e71b5b3bab28823659582c093840524e98ee016e5e36b38cac1d2e8a081964e1467d90d875ec9f65fd8000113f
- SSDEEP
  
  98304:TVZW3NAlhbkwyYQLxig4O/ejs17Z7fbTiWcnBLUwzUbvUf4JlreCWtK/7dW1J:TVZQN6dkwyX4Oj7bToBhqTlrjWkU1J
Score

10^/10

redline sectoprat credential_access discovery evasion infostealer rat spyware stealer themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinesectopratcredential_accessdiscoveryevasioninfostealerratspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy