General
-
Target
B4B2DF0C17B9CC137372CFB2165D613B.exe
-
Size
760KB
-
Sample
250318-t23wfsvzb1
-
MD5
b4b2df0c17b9cc137372cfb2165d613b
-
SHA1
11f44e224ac71e5de4f70ed47ec0653cab0ce0f1
-
SHA256
d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c
-
SHA512
6a31601940c0a941ad7bc1b56231e9025477d9137e0d683e9085c890ef59d4085262ee4de2664695c3a2209ff4420c64734e38ce24af9722b5f538d2b2bb7798
-
SSDEEP
12288:AUIDlUvK90yHVBZCs/X8RKbbir1QVt3Wgcf64sE8LZfAFoVbp+iaGMgEnhr6JvLg:GjWmppBeb5wjw
Malware Config
Extracted
redline
cheat
193.233.113.113:35361
Targets
-
-
Target
B4B2DF0C17B9CC137372CFB2165D613B.exe
-
Size
760KB
-
MD5
b4b2df0c17b9cc137372cfb2165d613b
-
SHA1
11f44e224ac71e5de4f70ed47ec0653cab0ce0f1
-
SHA256
d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c
-
SHA512
6a31601940c0a941ad7bc1b56231e9025477d9137e0d683e9085c890ef59d4085262ee4de2664695c3a2209ff4420c64734e38ce24af9722b5f538d2b2bb7798
-
SSDEEP
12288:AUIDlUvK90yHVBZCs/X8RKbbir1QVt3Wgcf64sE8LZfAFoVbp+iaGMgEnhr6JvLg:GjWmppBeb5wjw
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Disables service(s)
-
Modifies Windows Defender DisableAntiSpyware settings
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender TamperProtection settings
-
Modifies firewall policy service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
UAC bypass
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Network Share Discovery
Attempt to gather information on host network.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
7Disable or Modify System Firewall
2Disable or Modify Tools
4Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
7