redline | bf82785d05512cf87b68786d825bb01052fb28f7feb2d71a78f55728785e9481

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe
Size

7.5MB
MD5

99dd387a62cb879c2aba502e556a6c93
SHA1

67ec4c2873787998a05ee62751384eb1a9b8a677
SHA256

93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032
SHA512

48e3a912e03e633375b4a1372e951aa7c2348f29a420bba1a5df354d8c26415b6bbbbea5707008d72dfd087a87d19996ec58b394c413ffdb296b1a8ec592b09d
SSDEEP

196608:G+QDCeRpnhgR/BQ+/Svwj47kuTkGfxDlDl:n6MQ+/SvwOvY4

Score

10^/10

redline sectoprat cheat infostealer pyinstaller rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1639

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe	family_redline
behavioral1/memory/1104-92-0x0000000000980000-0x000000000099E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe	family_sectoprat
behavioral1/memory/1104-92-0x0000000000980000-0x000000000099E000-memory.dmp	family_sectoprat

Executes dropped EXE 4 IoCs

Processes:

Yzbhrlfsuiprqx.exeFszzxphgcwmloe.exeSchd.exeSchd.exe

pid process

940 Yzbhrlfsuiprqx.exe
1104 Fszzxphgcwmloe.exe
556 Schd.exe
780 Schd.exe
Loads dropped DLL 4 IoCs

Processes:

93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exeSchd.exeSchd.exe

pid process

1340 93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe
2032
556 Schd.exe
780 Schd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
940	Yzbhrlfsuiprqx.exe
1104	Fszzxphgcwmloe.exe
556	Schd.exe
780	Schd.exe

pid	process
1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe
2032
556	Schd.exe
780	Schd.exe

flow	ioc
1	ip-api.com

Detects Pyinstaller 6 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Schd.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Schd.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\Schd.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Schd.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\Schd.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Schd.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Yzbhrlfsuiprqx.exeFszzxphgcwmloe.exe

description pid process

Token: SeDebugPrivilege 940 Yzbhrlfsuiprqx.exe
Token: SeDebugPrivilege 1104 Fszzxphgcwmloe.exe

description	pid	process
Token: SeDebugPrivilege	940	Yzbhrlfsuiprqx.exe
Token: SeDebugPrivilege	1104	Fszzxphgcwmloe.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exeSchd.exe

description	pid	process	target process
PID 1340 wrote to memory of 940	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Yzbhrlfsuiprqx.exe
PID 1340 wrote to memory of 940	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Yzbhrlfsuiprqx.exe
PID 1340 wrote to memory of 940	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Yzbhrlfsuiprqx.exe
PID 1340 wrote to memory of 1104	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Fszzxphgcwmloe.exe
PID 1340 wrote to memory of 1104	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Fszzxphgcwmloe.exe
PID 1340 wrote to memory of 1104	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Fszzxphgcwmloe.exe
PID 1340 wrote to memory of 1104	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Fszzxphgcwmloe.exe
PID 1340 wrote to memory of 556	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Schd.exe
PID 1340 wrote to memory of 556	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Schd.exe
PID 1340 wrote to memory of 556	1340	93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe	Schd.exe
PID 556 wrote to memory of 780	556	Schd.exe	Schd.exe
PID 556 wrote to memory of 780	556	Schd.exe	Schd.exe
PID 556 wrote to memory of 780	556	Schd.exe	Schd.exe

C:\Users\Admin\AppData\Local\Temp\93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe
"C:\Users\Admin\AppData\Local\Temp\93acd7f68e3f777d29f7f30b922da99fdaeaf71208378604b4c1d28bdfc1a032.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\Yzbhrlfsuiprqx.exe
"C:\Users\Admin\AppData\Local\Temp\Yzbhrlfsuiprqx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe
"C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Local\Temp\Schd.exe
"C:\Users\Admin\AppData\Local\Temp\Schd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\Schd.exe
"C:\Users\Admin\AppData\Local\Temp\Schd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe
Filesize
95KB

MD5
27051f78dc07b7d7311d99e8c251d043

SHA1
bae7840693fbc36cfb9ece8aa65fee589c4e2ae9

SHA256
014b8a8f383e2e1535d3d382851529d77e149a71f312db1518bb40a14def7f64

SHA512
fd7afbb9f940f65b7e212e6641d3c4336aa3bc0e9f145d19972eef4d8c95fba4d0a8804510751ba982bd1ffa228d0094c69b3b3efb0d12c6aba370afc48af7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fszzxphgcwmloe.exe
Filesize
95KB

MD5
27051f78dc07b7d7311d99e8c251d043

SHA1
bae7840693fbc36cfb9ece8aa65fee589c4e2ae9

SHA256
014b8a8f383e2e1535d3d382851529d77e149a71f312db1518bb40a14def7f64

SHA512
fd7afbb9f940f65b7e212e6641d3c4336aa3bc0e9f145d19972eef4d8c95fba4d0a8804510751ba982bd1ffa228d0094c69b3b3efb0d12c6aba370afc48af7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Schd.exe
Filesize
7.3MB

MD5
2073e77e93fc051dc7a179cea9015520

SHA1
5b0d44c2559431e40af1fd7247b83d27d4d4a2fc

SHA256
0e9621fb6359ea8acd039414c88ebc137c4864703dcfa8605718e6e3b54a597f

SHA512
7f41778776d29c5a4e586da237f4730a7bf570b328ced039c23f50c45868cacf22e7c8003a21c38fe02e3827057cfba8e34a4dc2da057e7356cb8a40928ee819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Schd.exe
Filesize
7.3MB

MD5
2073e77e93fc051dc7a179cea9015520

SHA1
5b0d44c2559431e40af1fd7247b83d27d4d4a2fc

SHA256
0e9621fb6359ea8acd039414c88ebc137c4864703dcfa8605718e6e3b54a597f

SHA512
7f41778776d29c5a4e586da237f4730a7bf570b328ced039c23f50c45868cacf22e7c8003a21c38fe02e3827057cfba8e34a4dc2da057e7356cb8a40928ee819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Schd.exe
Filesize
7.3MB

MD5
2073e77e93fc051dc7a179cea9015520

SHA1
5b0d44c2559431e40af1fd7247b83d27d4d4a2fc

SHA256
0e9621fb6359ea8acd039414c88ebc137c4864703dcfa8605718e6e3b54a597f

SHA512
7f41778776d29c5a4e586da237f4730a7bf570b328ced039c23f50c45868cacf22e7c8003a21c38fe02e3827057cfba8e34a4dc2da057e7356cb8a40928ee819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yzbhrlfsuiprqx.exe
Filesize
343KB

MD5
3b11cb5a47023cf79d5d4fdc08c7b090

SHA1
5dccd3cd27676b3dd2fc8cb36d850155c85caeb8

SHA256
bbad213fcbcfcb4febeb9da546c8775fc6adcb4fdc0b62913ccf6bfb61fcde85

SHA512
4df59f9c584a001adbd3e4f73029af777d3b8d9f7f68a6aa0bf113384faed5ef56a259859535dc48a00f16b254c4b2e67b8a6c5cc6d3eff5de6652d0a07c374d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yzbhrlfsuiprqx.exe
Filesize
343KB

MD5
3b11cb5a47023cf79d5d4fdc08c7b090

SHA1
5dccd3cd27676b3dd2fc8cb36d850155c85caeb8

SHA256
bbad213fcbcfcb4febeb9da546c8775fc6adcb4fdc0b62913ccf6bfb61fcde85

SHA512
4df59f9c584a001adbd3e4f73029af777d3b8d9f7f68a6aa0bf113384faed5ef56a259859535dc48a00f16b254c4b2e67b8a6c5cc6d3eff5de6652d0a07c374d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\python311.dll
Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
\Users\Admin\AppData\Local\Temp\Schd.exe
Filesize
7.3MB

MD5
2073e77e93fc051dc7a179cea9015520

SHA1
5b0d44c2559431e40af1fd7247b83d27d4d4a2fc

SHA256
0e9621fb6359ea8acd039414c88ebc137c4864703dcfa8605718e6e3b54a597f

SHA512
7f41778776d29c5a4e586da237f4730a7bf570b328ced039c23f50c45868cacf22e7c8003a21c38fe02e3827057cfba8e34a4dc2da057e7356cb8a40928ee819

Download Submit
\Users\Admin\AppData\Local\Temp\Schd.exe
Filesize
7.3MB

MD5
2073e77e93fc051dc7a179cea9015520

SHA1
5b0d44c2559431e40af1fd7247b83d27d4d4a2fc

SHA256
0e9621fb6359ea8acd039414c88ebc137c4864703dcfa8605718e6e3b54a597f

SHA512
7f41778776d29c5a4e586da237f4730a7bf570b328ced039c23f50c45868cacf22e7c8003a21c38fe02e3827057cfba8e34a4dc2da057e7356cb8a40928ee819

Download Submit
\Users\Admin\AppData\Local\Temp\Schd.exe
Filesize
7.3MB

MD5
2073e77e93fc051dc7a179cea9015520

SHA1
5b0d44c2559431e40af1fd7247b83d27d4d4a2fc

SHA256
0e9621fb6359ea8acd039414c88ebc137c4864703dcfa8605718e6e3b54a597f

SHA512
7f41778776d29c5a4e586da237f4730a7bf570b328ced039c23f50c45868cacf22e7c8003a21c38fe02e3827057cfba8e34a4dc2da057e7356cb8a40928ee819

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5562\python311.dll
Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
memory/940-70-0x000000001ABA0000-0x000000001AC3E000-memory.dmp

Filesize
632KB

Download
memory/940-84-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/940-66-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/940-116-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/1104-92-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/1104-115-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/1104-117-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/1340-54-0x0000000001310000-0x0000000001A8C000-memory.dmp

Filesize
7.5MB

Download
memory/1340-55-0x000000001BBC0000-0x000000001BC40000-memory.dmp

Filesize
512KB

Download