redline | be79e1d0618a893153a049271268fac39ca9007bae26ecaeb73df3a455fb90b1

Analysis

max time kernel
60s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ca901fb82dabe4c5036d0b276cdfea.exe
Size

424KB
MD5

f9ca901fb82dabe4c5036d0b276cdfea
SHA1

d5bfc6ff7c6cd0d142ad3f7dfa08451203da92f9
SHA256

be79e1d0618a893153a049271268fac39ca9007bae26ecaeb73df3a455fb90b1
SHA512

9f0877bf1c0c75393f8f50b02c1b483ae636e6ab974fa6072e5061a1b9b274b95b9e5fa26145f07aba6dc823abd94657b5e1255e42c88fcf4b24a55ea1dcd2bb
SSDEEP

12288:6YF8rfffDfffFrnVqpPtogpFJN1HKd6l/r:6YmfffDfffFopPt1FlHKez

Score

10^/10

redline sectoprat discovery infostealer rat spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral2/memory/796-141-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/796-143-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/796-144-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/796-149-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/796-338-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/796-141-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/796-143-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/796-144-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/796-149-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/796-338-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

pid	Process
4216	qnfzikalr.exe
796	qnfzikalr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4216 set thread context of 796	4216	qnfzikalr.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
796	qnfzikalr.exe
796	qnfzikalr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4216	qnfzikalr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	qnfzikalr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4216	2516	f9ca901fb82dabe4c5036d0b276cdfea.exe	86
PID 2516 wrote to memory of 4216	2516	f9ca901fb82dabe4c5036d0b276cdfea.exe	86
PID 2516 wrote to memory of 4216	2516	f9ca901fb82dabe4c5036d0b276cdfea.exe	86
PID 4216 wrote to memory of 796	4216	qnfzikalr.exe	87
PID 4216 wrote to memory of 796	4216	qnfzikalr.exe	87
PID 4216 wrote to memory of 796	4216	qnfzikalr.exe	87
PID 4216 wrote to memory of 796	4216	qnfzikalr.exe	87

C:\Users\Admin\AppData\Local\Temp\f9ca901fb82dabe4c5036d0b276cdfea.exe
"C:\Users\Admin\AppData\Local\Temp\f9ca901fb82dabe4c5036d0b276cdfea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe
  "C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe" C:\Users\Admin\AppData\Local\Temp\nhtkp.r
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe
    "C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nhtkp.r

Filesize
5KB

MD5
a358f137cd1a05030d9679f86cd703fd

SHA1
522b7be248e3332088d4cd738e0a85964df919a7

SHA256
669f60a595da4d7b740af55cb8d1def404092c1f8c00aa20fd4901676e6db476

SHA512
cd61e61a1c3c4a1c121395bb23fc7f480be001d588e19f81ebcc2648cb8c148819543ef1792bf24b3ce70e1d128b2a5bd3f94e13075abcc8f5732055cd8b3357

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfzcgmyk.v

Filesize
193KB

MD5
6bdef9ec0352827047059bbf8fe9f1c4

SHA1
7209b7ec3cfdeb6a2f669e1fe1fd13e67cb56e55

SHA256
680652172a2cad7b0601ef8bd0a293339f2f4997ab349084bfdb38cbe4ba239b

SHA512
30bdb1d812a69c2bdc77f2019923776c5468f0cf649da9295623b3047988e1ef31fc1ffe6f81302c0a12cc6ba7b619930ad476350e892613b6fe76010ed5a37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnfzikalr.exe

Filesize
138KB

MD5
16e89238ea4beb341661f7c424707294

SHA1
7888ae723e4eee972bf2fc23fe26acf4f61f23db

SHA256
d9f5868540bad550b8acc4de42a5b5b1c70b0e690ac7265fa619d56bf7470b46

SHA512
fbaccf12ec484e7ed6f1281f5ae0de95a8fa8ad422376d930ca01b7623108dc0be72066d95cc77a7a8a3c2126fb13d2ef6ce8bff735e730d855b183dc923b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFBE.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFE3.tmp

Filesize
92KB

MD5
ec9dc2b3a8b24bcbda00502af0fedd51

SHA1
b555e8192e4aef3f0beb5f5381a7ad7095442e8d

SHA256
7378950f042c94b08cc138fd8c02e41f88b616cd17f23c0c06d4e3ca3e2937d2

SHA512
9040813d94956771ce06cdc1f524e0174c481cdc0e1d93cbf8a7d76dd321a641229e5a9dd1c085e92a9f66d92b6d7edc80b77cd54bb8905852c150234a190194

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB04D.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB072.tmp

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0BD.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/796-146-0x0000000004A70000-0x0000000005088000-memory.dmp

Filesize
6.1MB

Download
memory/796-148-0x00000000049F0000-0x0000000004A2C000-memory.dmp

Filesize
240KB

Download
memory/796-150-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/796-151-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/796-152-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/796-153-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/796-154-0x0000000005E10000-0x0000000005FD2000-memory.dmp

Filesize
1.8MB

Download
memory/796-155-0x0000000005FE0000-0x000000000650C000-memory.dmp

Filesize
5.2MB

Download
memory/796-156-0x0000000006600000-0x0000000006666000-memory.dmp

Filesize
408KB

Download
memory/796-157-0x0000000006920000-0x0000000006EC4000-memory.dmp

Filesize
5.6MB

Download
memory/796-159-0x0000000006F40000-0x0000000006FD2000-memory.dmp

Filesize
584KB

Download
memory/796-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-147-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/796-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-293-0x0000000007230000-0x00000000072A6000-memory.dmp

Filesize
472KB

Download
memory/796-294-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/796-295-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/796-296-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/796-336-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/796-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download