Extracted

• • Target

    f702a1b2aa5e8f06b47c069afa26909e4a9ea31bfb3328b9efbdb7e396cf250a

  • Size

    785KB

  • MD5

    d2f542d38d3cf8abab173c4ce668cd08

  • SHA1

    de5991f684f5054eb191d327b21b301d90601d18

  • SHA256

    f702a1b2aa5e8f06b47c069afa26909e4a9ea31bfb3328b9efbdb7e396cf250a

  • SHA512

    f2f92a61fb16630d4de6da59b37b8e1e964916b6831b371900f27ef98c8602a29002bc7edf0f7bd0a75d7e96f941504eed2ae4a34971a8e2c0d1c20ae4cf2f8d

  • SSDEEP

    24576:eQNid6hXNmIvZwJAtDWCzglIejIpqG4yPaw:ZRTm/JA4CKILqg

  Score

  10^/10

  redlinesectopratmaloydiscoveryevasionexecutioninfostealerrattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2