redline | 7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f

General

Target

LauncherSU.exe
Size

4.6MB
MD5

1ae71d2a00c2781136f0d041617131ad
SHA1

ac45f06da190a8fbf7e5f4e9f7d9afdd941e7df6
SHA256

7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
SHA512

597ddab8dafc57121ac7b24f4517ae6c2bed20ff4563acfedb0c5f074188f1cae289d1a31a4b76ebd6ce14eeba5d309de1f79a26cf15e08eb93469989c640d91
SSDEEP

98304:P2fwb4rsly4guky5c4l0SsNL8eHNLqC0w9e+Zl/As4gXdu:swEsYM5OSsgAb/AVgX4

Score

10^/10

redline sectoprat @oxphoenix infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@OxPhOenix

C2

77.220.212.176:35752

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-67-0x00000000002C0000-0x0000000000642000-memory.dmp	family_redline
behavioral1/memory/1980-68-0x00000000002C0000-0x0000000000642000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-67-0x00000000002C0000-0x0000000000642000-memory.dmp	family_sectoprat
behavioral1/memory/1980-68-0x00000000002C0000-0x0000000000642000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

Updater.exeBBvVfoqwceAQmZX.exe

pid process

1980 Updater.exe
484 BBvVfoqwceAQmZX.exe
Loads dropped DLL 2 IoCs

Processes:

LauncherSU.exe

pid process

2012 LauncherSU.exe
2012 LauncherSU.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Updater.exe

pid process

1980 Updater.exe
1980 Updater.exe
1980 Updater.exe
1980 Updater.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Updater.exe

description pid process

Token: SeDebugPrivilege 1980 Updater.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Updater.exe

pid process

1980 Updater.exe

pid	process
1980	Updater.exe
484	BBvVfoqwceAQmZX.exe

pid	process
2012	LauncherSU.exe
2012	LauncherSU.exe

pid	process
1980	Updater.exe
1980	Updater.exe
1980	Updater.exe
1980	Updater.exe

description	pid	process
Token: SeDebugPrivilege	1980	Updater.exe

pid	process
1980	Updater.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

LauncherSU.exe

description	pid	process	target process
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 1980	2012	LauncherSU.exe	Updater.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe
PID 2012 wrote to memory of 484	2012	LauncherSU.exe	BBvVfoqwceAQmZX.exe

C:\Users\Admin\AppData\Local\Temp\LauncherSU.exe
"C:\Users\Admin\AppData\Local\Temp\LauncherSU.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
2⤵
- Executes dropped EXE
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
1.1MB

MD5
73fb2d35e584c5b2a0bcee38de623547

SHA1
00112f9d61a13fbb6e2b5c74c3a7abcb09ff6b59

SHA256
ceada29a20a20983b6589bfbf4ff321f0bb3bbf692bdf90eab1ad441cc50eaff

SHA512
c3e956388816b6caa10f683d7973a0f6c1153c7abf005606d0b8381d85ea2a0beae0835ddd56524b52d54c9ab7b65d615a88100af6c4325ac88cfd66bad6f127

Download Submit
C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
Filesize
4.0MB

MD5
3b6317716a734b3fe08f868cd3382066

SHA1
b8967872a389177ce632141599cda9ffbf9b0d4f

SHA256
f5110fa71bdc19dff7f8335efe2dc948dcfd8a066e9acd80d438f6677ae956ba

SHA512
f5ed6733b6848299a03631b64f98196667dd436b08ff4b3bde0c6f011d11cfbb34c0f3228ebeb3438a7c334fc331c9030c68597a9d21def453cb5198570924cb

Download Submit
\??\c:\users\admin\appdata\local\temp\updater.exe
Filesize
1.1MB

MD5
73fb2d35e584c5b2a0bcee38de623547

SHA1
00112f9d61a13fbb6e2b5c74c3a7abcb09ff6b59

SHA256
ceada29a20a20983b6589bfbf4ff321f0bb3bbf692bdf90eab1ad441cc50eaff

SHA512
c3e956388816b6caa10f683d7973a0f6c1153c7abf005606d0b8381d85ea2a0beae0835ddd56524b52d54c9ab7b65d615a88100af6c4325ac88cfd66bad6f127

Download Submit
\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
1.1MB

MD5
73fb2d35e584c5b2a0bcee38de623547

SHA1
00112f9d61a13fbb6e2b5c74c3a7abcb09ff6b59

SHA256
ceada29a20a20983b6589bfbf4ff321f0bb3bbf692bdf90eab1ad441cc50eaff

SHA512
c3e956388816b6caa10f683d7973a0f6c1153c7abf005606d0b8381d85ea2a0beae0835ddd56524b52d54c9ab7b65d615a88100af6c4325ac88cfd66bad6f127

Download Submit
\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
Filesize
4.0MB

MD5
3b6317716a734b3fe08f868cd3382066

SHA1
b8967872a389177ce632141599cda9ffbf9b0d4f

SHA256
f5110fa71bdc19dff7f8335efe2dc948dcfd8a066e9acd80d438f6677ae956ba

SHA512
f5ed6733b6848299a03631b64f98196667dd436b08ff4b3bde0c6f011d11cfbb34c0f3228ebeb3438a7c334fc331c9030c68597a9d21def453cb5198570924cb

Download Submit
memory/484-69-0x00000000750A0000-0x00000000750E7000-memory.dmp

Filesize
284KB

Download
memory/484-463-0x0000000000400000-0x0000000000B75000-memory.dmp

Filesize
7.5MB

Download
memory/1980-67-0x00000000002C0000-0x0000000000642000-memory.dmp

Filesize
3.5MB

Download
memory/1980-66-0x00000000002C0000-0x0000000000642000-memory.dmp

Filesize
3.5MB

Download
memory/1980-68-0x00000000002C0000-0x0000000000642000-memory.dmp

Filesize
3.5MB

Download
memory/1980-473-0x0000000002F10000-0x0000000002F50000-memory.dmp

Filesize
256KB

Download
memory/1980-476-0x0000000002F10000-0x0000000002F50000-memory.dmp

Filesize
256KB

Download
memory/2012-65-0x0000000002540000-0x00000000028C2000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads