General
-
Target
RFQ_TFS-1508-AL NASR ENGINEERING.exe
-
Size
2.7MB
-
Sample
241118-t2hkhs1crp
-
MD5
51e2a4cf52a06bff7b50826173d6a0ad
-
SHA1
d5450d3259df08a3d0c0a0b91b586e8532fab2e0
-
SHA256
7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43
-
SHA512
95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa
-
SSDEEP
12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_TFS-1508-AL NASR ENGINEERING.exe
Resource
win7-20240903-en
Malware Config
Extracted
redline
hyce
193.70.111.186:13484
Targets
-
-
Target
RFQ_TFS-1508-AL NASR ENGINEERING.exe
-
Size
2.7MB
-
MD5
51e2a4cf52a06bff7b50826173d6a0ad
-
SHA1
d5450d3259df08a3d0c0a0b91b586e8532fab2e0
-
SHA256
7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43
-
SHA512
95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa
-
SSDEEP
12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4