Extracted

• • Target

    RFQ_TFS-1508-ALNASRENGINEERING.exe

  • Size

    2.7MB

  • MD5

    51e2a4cf52a06bff7b50826173d6a0ad

  • SHA1

    d5450d3259df08a3d0c0a0b91b586e8532fab2e0

  • SHA256

    7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43

  • SHA512

    95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa

  • SSDEEP

    12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV

  Score

  10^/10

  redlinesectoprathycediscoveryevasionexecutioninfostealerratspywaretrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2