redline | b68861078c61d4caaf3a0138db9dabad70a0663bc8df06b2d188cee5c69688ef

Analysis

max time kernel
112s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2023 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba26f6e9adc6db9dd1918107e3fc48fb.exe
Size

236KB
MD5

ba26f6e9adc6db9dd1918107e3fc48fb
SHA1

1e0f58feeacf91655561673448bf23d4db0af615
SHA256

b68861078c61d4caaf3a0138db9dabad70a0663bc8df06b2d188cee5c69688ef
SHA512

b462c37a2b9a2ad1102e037b34abb9e0699c8de9ca45be69530f087d43217f9801f925a9211cb3b896655163563d75bf0911a76ea3e88136e8977e0bdd547da4
SSDEEP

6144:zdTFcxbrKWS4/AdSZbWt6nnWmlVNJnSqPvJfb0WfnmsYUiZnTR:BTFKfKr4/AmWtCVNJ/Jj0W/n0NR

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

cheat

4.tcp.eu.ngrok.io:18632

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Stage1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Stage1.exe	family_redline
behavioral2/memory/2136-152-0x0000000000570000-0x000000000058E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Stage1.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\Stage1.exe	family_sectoprat
behavioral2/memory/2136-152-0x0000000000570000-0x000000000058E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba26f6e9adc6db9dd1918107e3fc48fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ba26f6e9adc6db9dd1918107e3fc48fb.exe

Executes dropped EXE 2 IoCs

Processes:

Stage2.exeStage1.exe

pid process

652 Stage2.exe
2136 Stage1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
652	Stage2.exe
2136	Stage1.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
C:\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
C:\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
behavioral2/memory/652-146-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/652-149-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Stage1.exe

pid process

2136 Stage1.exe
2136 Stage1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Stage1.exe

description pid process

Token: SeDebugPrivilege 2136 Stage1.exe

pid	process
2136	Stage1.exe
2136	Stage1.exe

description	pid	process
Token: SeDebugPrivilege	2136	Stage1.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ba26f6e9adc6db9dd1918107e3fc48fb.exe

description	pid	process	target process
PID 3720 wrote to memory of 652	3720	ba26f6e9adc6db9dd1918107e3fc48fb.exe	Stage2.exe
PID 3720 wrote to memory of 652	3720	ba26f6e9adc6db9dd1918107e3fc48fb.exe	Stage2.exe
PID 3720 wrote to memory of 652	3720	ba26f6e9adc6db9dd1918107e3fc48fb.exe	Stage2.exe
PID 3720 wrote to memory of 2136	3720	ba26f6e9adc6db9dd1918107e3fc48fb.exe	Stage1.exe
PID 3720 wrote to memory of 2136	3720	ba26f6e9adc6db9dd1918107e3fc48fb.exe	Stage1.exe
PID 3720 wrote to memory of 2136	3720	ba26f6e9adc6db9dd1918107e3fc48fb.exe	Stage1.exe

C:\Users\Admin\AppData\Local\Temp\ba26f6e9adc6db9dd1918107e3fc48fb.exe
"C:\Users\Admin\AppData\Local\Temp\ba26f6e9adc6db9dd1918107e3fc48fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\Stage2.exe
"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
2⤵
- Executes dropped EXE
PID:652

C:\Users\Admin\AppData\Local\Temp\Stage1.exe
"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stage1.exe
Filesize
95KB

MD5
75b4c72106bf101bfe358e378f168359

SHA1
80efc14013be62eb50ad584762be7b5a0dcc9212

SHA256
16e9c53da848c95e74eb08c1635b3faa43af6c5fd3b9190b8d3915e8b27b40b1

SHA512
08f3fc9a6e45b49a7c58966ce65d585a099557285ad470098fef5807c2821420edbf4788450bb36ee1b46fa3b8998e3189af7448b5f8bfd227166a614fa7a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage1.exe
Filesize
95KB

MD5
75b4c72106bf101bfe358e378f168359

SHA1
80efc14013be62eb50ad584762be7b5a0dcc9212

SHA256
16e9c53da848c95e74eb08c1635b3faa43af6c5fd3b9190b8d3915e8b27b40b1

SHA512
08f3fc9a6e45b49a7c58966ce65d585a099557285ad470098fef5807c2821420edbf4788450bb36ee1b46fa3b8998e3189af7448b5f8bfd227166a614fa7a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage2.exe
Filesize
144KB

MD5
fe10c02518149787f57903cbee5680e5

SHA1
b578cd7c730746280d6760483daed2b4d2e526d1

SHA256
9dda893cff99d3e004b88e1be0f30012655a3785ab4a49992f3b4a9fe50b4a42

SHA512
2baea47f89cef0e826446cd513054768a33038e744351dd064e9bdf6f5f66a48224b31d1e98868c37e3c7ce10f394beb38d596bf59fe2dc8d4c64602484f21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage2.exe
Filesize
144KB

MD5
fe10c02518149787f57903cbee5680e5

SHA1
b578cd7c730746280d6760483daed2b4d2e526d1

SHA256
9dda893cff99d3e004b88e1be0f30012655a3785ab4a49992f3b4a9fe50b4a42

SHA512
2baea47f89cef0e826446cd513054768a33038e744351dd064e9bdf6f5f66a48224b31d1e98868c37e3c7ce10f394beb38d596bf59fe2dc8d4c64602484f21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage2.exe
Filesize
144KB

MD5
fe10c02518149787f57903cbee5680e5

SHA1
b578cd7c730746280d6760483daed2b4d2e526d1

SHA256
9dda893cff99d3e004b88e1be0f30012655a3785ab4a49992f3b4a9fe50b4a42

SHA512
2baea47f89cef0e826446cd513054768a33038e744351dd064e9bdf6f5f66a48224b31d1e98868c37e3c7ce10f394beb38d596bf59fe2dc8d4c64602484f21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE3E.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEEB1.tmp
Filesize
92KB

MD5
367544a2a5551a41c869eb1b0b5871c3

SHA1
9051340b95090c07deda0a1df3a9c0b9233f5054

SHA256
eb0e2b2ee04cab66e2f7930ea82a5f1b42469ac50e063a8492f9c585f90bc542

SHA512
6d1275291530cb8b9944db296c4aed376765015ad6bbf51f4475a347776c99dbb2e748d0c331d89c9e6118adf641ed10e390c8ccb8ae4de4811c858d195cc34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF4A.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF6F.tmp
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFBA.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/652-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2136-294-0x00000000066C0000-0x0000000006726000-memory.dmp

Filesize
408KB

Download
memory/2136-297-0x0000000006A10000-0x0000000006A86000-memory.dmp

Filesize
472KB

Download
memory/2136-299-0x0000000007120000-0x000000000713E000-memory.dmp

Filesize
120KB

Download
memory/2136-159-0x00000000064F0000-0x00000000066B2000-memory.dmp

Filesize
1.8MB

Download
memory/2136-160-0x0000000006BF0000-0x000000000711C000-memory.dmp

Filesize
5.2MB

Download
memory/2136-153-0x00000000055E0000-0x0000000005BF8000-memory.dmp

Filesize
6.1MB

Download
memory/2136-152-0x0000000000570000-0x000000000058E000-memory.dmp

Filesize
120KB

Download
memory/2136-156-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/2136-155-0x0000000004F60000-0x0000000004F9C000-memory.dmp

Filesize
240KB

Download
memory/2136-298-0x0000000006B30000-0x0000000006BC2000-memory.dmp

Filesize
584KB

Download
memory/2136-154-0x0000000004F00000-0x0000000004F12000-memory.dmp

Filesize
72KB

Download
memory/2136-295-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/2136-296-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/2136-157-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/3720-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3720-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3720-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download