redline | be79e1d0618a893153a049271268fac39ca9007bae26ecaeb73df3a455fb90b1

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ca901fb82dabe4c5036d0b276cdfea.exe
Size

424KB
MD5

f9ca901fb82dabe4c5036d0b276cdfea
SHA1

d5bfc6ff7c6cd0d142ad3f7dfa08451203da92f9
SHA256

be79e1d0618a893153a049271268fac39ca9007bae26ecaeb73df3a455fb90b1
SHA512

9f0877bf1c0c75393f8f50b02c1b483ae636e6ab974fa6072e5061a1b9b274b95b9e5fa26145f07aba6dc823abd94657b5e1255e42c88fcf4b24a55ea1dcd2bb
SSDEEP

12288:6YF8rfffDfffFrnVqpPtogpFJN1HKd6l/r:6YmfffDfffFopPt1FlHKez

Score

10^/10

redline sectoprat china2023logz discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

CHINA2023LOGZ

193.42.32.107:16808

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1932-68-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral1/memory/1932-72-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral1/memory/1932-73-0x0000000000570000-0x000000000058E000-memory.dmp	family_redline
behavioral1/memory/1932-74-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral1/memory/1932-159-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1932-68-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral1/memory/1932-72-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral1/memory/1932-73-0x0000000000570000-0x000000000058E000-memory.dmp	family_sectoprat
behavioral1/memory/1932-74-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral1/memory/1932-159-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

pid	Process
1716	qnfzikalr.exe
1932	qnfzikalr.exe

Loads dropped DLL 3 IoCs

pid	Process
1408	f9ca901fb82dabe4c5036d0b276cdfea.exe
1408	f9ca901fb82dabe4c5036d0b276cdfea.exe
1716	qnfzikalr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 1932	1716	qnfzikalr.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	qnfzikalr.exe
1932	qnfzikalr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1716	qnfzikalr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	qnfzikalr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1716	1408	f9ca901fb82dabe4c5036d0b276cdfea.exe	28
PID 1408 wrote to memory of 1716	1408	f9ca901fb82dabe4c5036d0b276cdfea.exe	28
PID 1408 wrote to memory of 1716	1408	f9ca901fb82dabe4c5036d0b276cdfea.exe	28
PID 1408 wrote to memory of 1716	1408	f9ca901fb82dabe4c5036d0b276cdfea.exe	28
PID 1716 wrote to memory of 1932	1716	qnfzikalr.exe	29
PID 1716 wrote to memory of 1932	1716	qnfzikalr.exe	29
PID 1716 wrote to memory of 1932	1716	qnfzikalr.exe	29
PID 1716 wrote to memory of 1932	1716	qnfzikalr.exe	29
PID 1716 wrote to memory of 1932	1716	qnfzikalr.exe	29

C:\Users\Admin\AppData\Local\Temp\f9ca901fb82dabe4c5036d0b276cdfea.exe
"C:\Users\Admin\AppData\Local\Temp\f9ca901fb82dabe4c5036d0b276cdfea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe
  "C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe" C:\Users\Admin\AppData\Local\Temp\nhtkp.r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe
    "C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nhtkp.r

Filesize
5KB

MD5
a358f137cd1a05030d9679f86cd703fd

SHA1
522b7be248e3332088d4cd738e0a85964df919a7

SHA256
669f60a595da4d7b740af55cb8d1def404092c1f8c00aa20fd4901676e6db476

SHA512
cd61e61a1c3c4a1c121395bb23fc7f480be001d588e19f81ebcc2648cb8c148819543ef1792bf24b3ce70e1d128b2a5bd3f94e13075abcc8f5732055cd8b3357

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfzcgmyk.v

Filesize
193KB

MD5
6bdef9ec0352827047059bbf8fe9f1c4

SHA1
7209b7ec3cfdeb6a2f669e1fe1fd13e67cb56e55

SHA256
680652172a2cad7b0601ef8bd0a293339f2f4997ab349084bfdb38cbe4ba239b

SHA512
30bdb1d812a69c2bdc77f2019923776c5468f0cf649da9295623b3047988e1ef31fc1ffe6f81302c0a12cc6ba7b619930ad476350e892613b6fe76010ed5a37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4506.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp452B.tmp

Filesize
92KB

MD5
6d08bf9c3c653acdf38bb837cb4634bc

SHA1
f171a5ce04d67253ee2ef50d749e5940e4b83946

SHA256
2a9e7046d1e4447ae01adcf18e1aadd5ac9df5743b540db34df8fb79b80ef1bf

SHA512
a055321e6673e5afa1cef0bb12e46c56207c1eb90254e66f0ddc40c754ab48611b30b8aecc0214f7ce22a9758b764848f948ffe643d41861e2759c4d81e24f4e

Download Submit
\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
memory/1932-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-75-0x00000000044C0000-0x0000000004500000-memory.dmp

Filesize
256KB

Download
memory/1932-76-0x00000000044C0000-0x0000000004500000-memory.dmp

Filesize
256KB

Download
memory/1932-73-0x0000000000570000-0x000000000058E000-memory.dmp

Filesize
120KB

Download
memory/1932-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download