Overview

overview

10

Static

static

3

RFQ_TFS-15...NG.exe

windows7-x64

10

RFQ_TFS-15...NG.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_TFS-1508-AL NASR ENGINEERING.exe

  • Size

    2.7MB

  • MD5

    51e2a4cf52a06bff7b50826173d6a0ad

  • SHA1

    d5450d3259df08a3d0c0a0b91b586e8532fab2e0

  • SHA256

    7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43

  • SHA512

    95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa

  • SSDEEP

    12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV

Score
10/10
redlinesectoprathycediscoveryevasionexecutioninfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

hyce

C2

193.70.111.186:13484

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekneqdss.sqm.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDF29.tmp
    Filesize

    40KB

    MD5

    a182561a527f929489bf4b8f74f65cd7

    SHA1

    8cd6866594759711ea1836e86a5b7ca64ee8911f

    SHA256

    42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

    SHA512

    9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDF4E.tmp
    Filesize

    114KB

    MD5

    a1eeb9d95adbb08fa316226b55e4f278

    SHA1

    b36e8529ac3f2907750b4fea7037b147fe1061a6

    SHA256

    2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

    SHA512

    f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDF79.tmp
    Filesize

    48KB

    MD5

    349e6eb110e34a08924d92f6b334801d

    SHA1

    bdfb289daff51890cc71697b6322aa4b35ec9169

    SHA256

    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

    SHA512

    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDF7F.tmp
    Filesize

    20KB

    MD5

    49693267e0adbcd119f9f5e02adf3a80

    SHA1

    3ba3d7f89b8ad195ca82c92737e960e1f2b349df

    SHA256

    d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

    SHA512

    b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDF95.tmp
    Filesize

    116KB

    MD5

    f70aa3fa04f0536280f872ad17973c3d

    SHA1

    50a7b889329a92de1b272d0ecf5fce87395d3123

    SHA256

    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

    SHA512

    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDFC0.tmp
    Filesize

    96KB

    MD5

    40f3eb83cc9d4cdb0ad82bd5ff2fb824

    SHA1

    d6582ba879235049134fa9a351ca8f0f785d8835

    SHA256

    cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

    SHA512

    cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

    Download Submit

  • memory/876-12-0x000002FCE9580000-0x000002FCE95A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/876-5-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/876-17-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/876-6-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/876-25-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2704-3-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2704-0-0x00007FFF2B5F3000-0x00007FFF2B5F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2704-1-0x000001FF37090000-0x000001FF37098000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2704-2-0x000001FF51480000-0x000001FF514F0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2704-27-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3644-20-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3644-19-0x0000000005B40000-0x0000000006158000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3644-29-0x0000000006E70000-0x000000000739C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3644-4-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3644-26-0x0000000005630000-0x000000000573A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3644-22-0x0000000005490000-0x00000000054DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3644-21-0x0000000005450000-0x000000000548C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3644-28-0x0000000006770000-0x0000000006932000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3644-18-0x000000007528E000-0x000000007528F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3644-193-0x0000000006A40000-0x0000000006AA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3644-194-0x0000000006D50000-0x0000000006DC6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3644-195-0x00000000073A0000-0x0000000007432000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3644-196-0x00000000079F0000-0x0000000007F94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3644-197-0x00000000076C0000-0x00000000076DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3644-198-0x000000007528E000-0x000000007528F000-memory.dmp

    Filesize

    4KB

    Download