Extracted

Extracted

• • Target

    twarzbartolski.png

  • Size

    235KB

  • MD5

    e1928142c6ece419e57ffb67c188a916

  • SHA1

    86b5f664641756bdb7332bcd22b01e0543019d37

  • SHA256

    a5ee1f7fb3358883a72e2f3f86039f6b325ed9e18b8eeca095ae073faccb96f6

  • SHA512

    6204a0d9e19b257be0637c71e611cd018562aaf4a8285868e86c59df873d977b4f19a5ed10758d2c7163c3e6555b60b2b5c4c72f1a2e02c03575ac6780c9c9c6

  • SSDEEP

    6144:aNIfHohn/B55REsQ3noEAQUQV+3voVnu0AMuu76wDXtgzL1:ar/35RtQltW3voNAMRW8CzZ

  Score

  10^/10

  redlinesectopratstealcdefaulttg cloud @rlreborn admin @fatherofcardersdefense_evasiondiscoveryexecutionexploitinfostealerpersistenceprivilege_escalationratspywarestealertrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: AppInit DLLs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation

  • Possible privilege escalation attempt

    exploit

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2