redline | 875d856c37fde99e43deb9fefb56e49a59687aa1fbf830b1b126168a29128e31

Analysis

max time kernel
127s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crypt.exe
Size

323KB
MD5

2936c28076b8434601dba5322b3bef97
SHA1

4dfc412181278822c5e64b831028b06f0dd62ae5
SHA256

875d856c37fde99e43deb9fefb56e49a59687aa1fbf830b1b126168a29128e31
SHA512

b88a2d50a0dc1a42ebe4ac2b3a44ccfa6648f5bafe2287a553e8801fea9bc66649be28811330ccb502c11d4ef2ca3a1760e7f4f64112a53250cd6fa75adf5ddb
SSDEEP

6144:vYa6juASI1KIq56x+vAKC5Fyqs8itGi4dG4z08Erlf5dCmjpEcxk5rarP:vYJeIq5TvALfyqBiMJdG4zmrlfvbHxIY

Score

10^/10

redline sectoprat discovery infostealer rat spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4744-141-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/4744-143-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/4744-145-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/4744-147-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral2/memory/4744-335-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4744-141-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/4744-143-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/4744-145-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/4744-147-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral2/memory/4744-335-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

qahnkzt.exeqahnkzt.exe

pid process

3236 qahnkzt.exe
4744 qahnkzt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

qahnkzt.exe

description pid process target process

PID 3236 set thread context of 4744 3236 qahnkzt.exe qahnkzt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

qahnkzt.exe

pid process

4744 qahnkzt.exe
4744 qahnkzt.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

qahnkzt.exe

pid process

3236 qahnkzt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qahnkzt.exe

description pid process

Token: SeDebugPrivilege 4744 qahnkzt.exe

pid	process
3236	qahnkzt.exe
4744	qahnkzt.exe

description	pid	process	target process
PID 3236 set thread context of 4744	3236	qahnkzt.exe	qahnkzt.exe

pid	process
4744	qahnkzt.exe
4744	qahnkzt.exe

pid	process
3236	qahnkzt.exe

description	pid	process
Token: SeDebugPrivilege	4744	qahnkzt.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

crypt.exeqahnkzt.exe

description	pid	process	target process
PID 4268 wrote to memory of 3236	4268	crypt.exe	qahnkzt.exe
PID 4268 wrote to memory of 3236	4268	crypt.exe	qahnkzt.exe
PID 4268 wrote to memory of 3236	4268	crypt.exe	qahnkzt.exe
PID 3236 wrote to memory of 4744	3236	qahnkzt.exe	qahnkzt.exe
PID 3236 wrote to memory of 4744	3236	qahnkzt.exe	qahnkzt.exe
PID 3236 wrote to memory of 4744	3236	qahnkzt.exe	qahnkzt.exe
PID 3236 wrote to memory of 4744	3236	qahnkzt.exe	qahnkzt.exe

C:\Users\Admin\AppData\Local\Temp\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\crypt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
"C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe" C:\Users\Admin\AppData\Local\Temp\hxpsmql.q
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
"C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akcqkmvta.uib
Filesize
193KB

MD5
025965f8fd5553c8f02dd9e8214ebf09

SHA1
d8ad0439efbf58261198e545de9488fbceec65b9

SHA256
f4660cb7cf188b659b83f647f09e4caa264252c5a0ebdc0007c9fe1f61440671

SHA512
bb026ea4e5386b3992aaeb3a4fcf70407dfa24675fd4634f5f2570f1d80416b502c6667de5dc3e2b2b829b299a0539ac3d122815646b8b851783e4abe4e62e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxpsmql.q
Filesize
6KB

MD5
561c1011874d9e3ebb4188be80bf1089

SHA1
41600e836ddb33d59e5a534f6ba5d0df28db3ac8

SHA256
7fed79d90e94178e73f2d70747435db39b4c41de085e8eafd5f561417ac64564

SHA512
ff0284bd576040dc43aaa39044cab2498ad212b9668ce83135815aca37ddcea03608784b8aa4fc329782403241b1db1b8b33971d14275a3d7b7fd8d97068a020

Download Submit
C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
Filesize
283KB

MD5
e3828b0f3a3ab4333a1e3e3c2a907939

SHA1
48a71d6d6ee9b56918bc4e96f61c5af41a6ccd0c

SHA256
668536338cf0d01cb1639094b4fdb91c2785cac56e3f84cd6c7cfca4b54db72f

SHA512
f003ad29d4aeb88782fe3733c03771694e7ecab7bce62f82c4ed39038daaf4ab4189438c3be8d6a26ade5605321d87663b25345bc2030cd289211d32e169a911

Download Submit
C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
Filesize
283KB

MD5
e3828b0f3a3ab4333a1e3e3c2a907939

SHA1
48a71d6d6ee9b56918bc4e96f61c5af41a6ccd0c

SHA256
668536338cf0d01cb1639094b4fdb91c2785cac56e3f84cd6c7cfca4b54db72f

SHA512
f003ad29d4aeb88782fe3733c03771694e7ecab7bce62f82c4ed39038daaf4ab4189438c3be8d6a26ade5605321d87663b25345bc2030cd289211d32e169a911

Download Submit
C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
Filesize
283KB

MD5
e3828b0f3a3ab4333a1e3e3c2a907939

SHA1
48a71d6d6ee9b56918bc4e96f61c5af41a6ccd0c

SHA256
668536338cf0d01cb1639094b4fdb91c2785cac56e3f84cd6c7cfca4b54db72f

SHA512
f003ad29d4aeb88782fe3733c03771694e7ecab7bce62f82c4ed39038daaf4ab4189438c3be8d6a26ade5605321d87663b25345bc2030cd289211d32e169a911

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFCE.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB002.tmp
Filesize
92KB

MD5
4b609cebb20f08b79628408f4fa2ad42

SHA1
f725278c8bc0527c316e01827f195de5c9a8f934

SHA256
2802818c570f9da1ce2e2fe2ff12cd3190b4c287866a3e4dfe2ad3a7df4cecdf

SHA512
19111811722223521c8ef801290e2d5d8a49c0800363b9cf4232ca037dbcc515aa16ba6c043193f81388260db0e9a7cdb31b0da8c7ffa5bcad67ddbd842e2c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB03D.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB072.tmp
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0BD.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/3236-144-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/4744-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-148-0x0000000004A30000-0x0000000005048000-memory.dmp

Filesize
6.1MB

Download
memory/4744-151-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-152-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-153-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-154-0x0000000005220000-0x000000000532A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-155-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-156-0x0000000005E20000-0x0000000005FE2000-memory.dmp

Filesize
1.8MB

Download
memory/4744-157-0x0000000005FF0000-0x000000000651C000-memory.dmp

Filesize
5.2MB

Download
memory/4744-158-0x0000000006610000-0x0000000006676000-memory.dmp

Filesize
408KB

Download
memory/4744-149-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/4744-150-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/4744-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-293-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-294-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-295-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-296-0x0000000006950000-0x00000000069C6000-memory.dmp

Filesize
472KB

Download
memory/4744-297-0x0000000006A20000-0x0000000006AB2000-memory.dmp

Filesize
584KB

Download
memory/4744-298-0x0000000006AC0000-0x0000000007064000-memory.dmp

Filesize
5.6MB

Download
memory/4744-299-0x00000000073B0000-0x00000000073CE000-memory.dmp

Filesize
120KB

Download
memory/4744-300-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4744-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download