redline | 9d4b7ad0f5db9b40e084b1e136dbb6a5a04504f2817ed1c8a7547689d61ff3e5

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-04-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe
Size

258KB
MD5

5010f50fdbbebde8c86d9944dd9545a5
SHA1

5f208fa5a783bef7f281b877af3f5a1a844d461d
SHA256

2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5
SHA512

e5294d0b026b562b06b62f0a32fcd2854830ea97438ae6a825a2d6de7f49fdfd70d6ffbb25bf6e75f78dd7b04f787022e3c084b51747eac7125c928f974e52ad
SSDEEP

6144:/Ya6I/wvDFP59p/mHNLeK5Vm9xbqVMpf4nRzk9zgq6yMOuzBjsPOMccFQB:/YWILl59pOHIt/2MpgRzk9SyMryOH

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

david1234.duckdns.org:38369

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-65-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral1/memory/2008-69-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral1/memory/2008-70-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline
behavioral1/memory/2008-71-0x00000000003B0000-0x00000000003CE000-memory.dmp	family_redline
behavioral1/memory/2008-157-0x0000000000400000-0x000000000042F000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-65-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral1/memory/2008-69-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral1/memory/2008-70-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat
behavioral1/memory/2008-71-0x00000000003B0000-0x00000000003CE000-memory.dmp	family_sectoprat
behavioral1/memory/2008-157-0x0000000000400000-0x000000000042F000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

lmlmm.exelmlmm.exe

pid process

1208 lmlmm.exe
2008 lmlmm.exe
Loads dropped DLL 2 IoCs

Processes:

2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exelmlmm.exe

pid process

1744 2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe
1208 lmlmm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

lmlmm.exe

description pid process target process

PID 1208 set thread context of 2008 1208 lmlmm.exe lmlmm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lmlmm.exe

pid process

2008 lmlmm.exe
2008 lmlmm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lmlmm.exe

pid process

1208 lmlmm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lmlmm.exe

description pid process

Token: SeDebugPrivilege 2008 lmlmm.exe

pid	process
1208	lmlmm.exe
2008	lmlmm.exe

pid	process
1744	2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe
1208	lmlmm.exe

description	pid	process	target process
PID 1208 set thread context of 2008	1208	lmlmm.exe	lmlmm.exe

pid	process
2008	lmlmm.exe
2008	lmlmm.exe

pid	process
1208	lmlmm.exe

description	pid	process
Token: SeDebugPrivilege	2008	lmlmm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exelmlmm.exe

description	pid	process	target process
PID 1744 wrote to memory of 1208	1744	2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe	lmlmm.exe
PID 1744 wrote to memory of 1208	1744	2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe	lmlmm.exe
PID 1744 wrote to memory of 1208	1744	2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe	lmlmm.exe
PID 1744 wrote to memory of 1208	1744	2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe	lmlmm.exe
PID 1208 wrote to memory of 2008	1208	lmlmm.exe	lmlmm.exe
PID 1208 wrote to memory of 2008	1208	lmlmm.exe	lmlmm.exe
PID 1208 wrote to memory of 2008	1208	lmlmm.exe	lmlmm.exe
PID 1208 wrote to memory of 2008	1208	lmlmm.exe	lmlmm.exe
PID 1208 wrote to memory of 2008	1208	lmlmm.exe	lmlmm.exe

C:\Users\Admin\AppData\Local\Temp\2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe
"C:\Users\Admin\AppData\Local\Temp\2cbbd2ddcf06673ed1ad758b71f2df75a21543ea149f15a73773ae90c6f5bce5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmm.exe" C:\Users\Admin\AppData\Local\Temp\efxsftqx.tf
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efxsftqx.tf
Filesize
5KB

MD5
5aaabbc73fc25a2b86465cb2736087cc

SHA1
eaf904bcca7ec3b8639b85c98214f506f4a8b168

SHA256
ca2178b6805f44bb28f1195fe3ec7f2a3d810ca54f2ab34898ad8cecaf61e1e5

SHA512
d156d20f959a51ad4640445b30130711e8ff6017a74b1ad0e616c01d07ed17a6b6c4295121d37ce76b65fb6b58cf703e9de8d0e9b03b99f1b221130684a22ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
Filesize
108KB

MD5
3c72ae350989f241038540a60716c075

SHA1
3dcbecb851d32168e24e2865bae262f1912efca9

SHA256
0d28a5b88eedf169bed2c925ff6ed3b8840d21569debe5c853608f85a230f64d

SHA512
4c783588e69bef6e6c08d450ff5d94b1747fc67f64f876b36e94c4689cbf03286767d81ce6121598de3600aeb36e4d6721ab9ba35444f9c6b35a99efbbe2718e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
Filesize
108KB

MD5
3c72ae350989f241038540a60716c075

SHA1
3dcbecb851d32168e24e2865bae262f1912efca9

SHA256
0d28a5b88eedf169bed2c925ff6ed3b8840d21569debe5c853608f85a230f64d

SHA512
4c783588e69bef6e6c08d450ff5d94b1747fc67f64f876b36e94c4689cbf03286767d81ce6121598de3600aeb36e4d6721ab9ba35444f9c6b35a99efbbe2718e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
Filesize
108KB

MD5
3c72ae350989f241038540a60716c075

SHA1
3dcbecb851d32168e24e2865bae262f1912efca9

SHA256
0d28a5b88eedf169bed2c925ff6ed3b8840d21569debe5c853608f85a230f64d

SHA512
4c783588e69bef6e6c08d450ff5d94b1747fc67f64f876b36e94c4689cbf03286767d81ce6121598de3600aeb36e4d6721ab9ba35444f9c6b35a99efbbe2718e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nezmh.sj
Filesize
193KB

MD5
07c47844233ce0ab620b5cf745b607de

SHA1
dede2130199e583ed783c245457f93789529e16f

SHA256
db568027eeaec7aa713806e5ca6554bfd0814b3b525b8c1b67186537b83dd7c6

SHA512
30f6b2555090915e077dea26cd06a6602971ddcf26cffdfcd3ba3b02e18f01b08e5bd0b057651e89db49b4ec37cc8f8d7ea8297e9977df15ed616dbccdc55cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B7D.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BC1.tmp
Filesize
92KB

MD5
747ae56c4c143d35c9f4deb890d470c3

SHA1
1bbe23d6c5eeb56f8a3ea5459bbd00cb825dc22a

SHA256
e847489244a60ca420a700898a700fc01002a84aed20b1af9d4ffde6b0a3214e

SHA512
f492b8d634c02d680e906f3827b53b41d69905ad59eda7c419f1f8af33a795f6330d1d88243eeab0365a1f25cf524070231ce4720034a4d0cf85a8acf5b05395

Download Submit
\Users\Admin\AppData\Local\Temp\lmlmm.exe
Filesize
108KB

MD5
3c72ae350989f241038540a60716c075

SHA1
3dcbecb851d32168e24e2865bae262f1912efca9

SHA256
0d28a5b88eedf169bed2c925ff6ed3b8840d21569debe5c853608f85a230f64d

SHA512
4c783588e69bef6e6c08d450ff5d94b1747fc67f64f876b36e94c4689cbf03286767d81ce6121598de3600aeb36e4d6721ab9ba35444f9c6b35a99efbbe2718e

Download Submit
\Users\Admin\AppData\Local\Temp\lmlmm.exe
Filesize
108KB

MD5
3c72ae350989f241038540a60716c075

SHA1
3dcbecb851d32168e24e2865bae262f1912efca9

SHA256
0d28a5b88eedf169bed2c925ff6ed3b8840d21569debe5c853608f85a230f64d

SHA512
4c783588e69bef6e6c08d450ff5d94b1747fc67f64f876b36e94c4689cbf03286767d81ce6121598de3600aeb36e4d6721ab9ba35444f9c6b35a99efbbe2718e

Download Submit
memory/2008-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-71-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/2008-72-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/2008-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download