General

  • Target

    RFQ_TFS-1508-AL NASR ENGINEERING.exe

  • Size

    2.7MB

  • Sample

    241118-t2hkhs1crp

  • MD5

    51e2a4cf52a06bff7b50826173d6a0ad

  • SHA1

    d5450d3259df08a3d0c0a0b91b586e8532fab2e0

  • SHA256

    7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43

  • SHA512

    95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa

  • SSDEEP

    12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV

Malware Config

Extracted

Family

redline

Botnet

hyce

C2

193.70.111.186:13484

Targets

    • Target

      RFQ_TFS-1508-AL NASR ENGINEERING.exe

    • Size

      2.7MB

    • MD5

      51e2a4cf52a06bff7b50826173d6a0ad

    • SHA1

      d5450d3259df08a3d0c0a0b91b586e8532fab2e0

    • SHA256

      7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43

    • SHA512

      95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa

    • SSDEEP

      12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks