redline | ba85db2614120d1e5b26b4c89847f219317a823bf1e3382cb379666677b0a8fe

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER QUOTATION LIST.pdf.exe
Size

837KB
MD5

00b7354438e3a2483c5c4e0c52d10f7e
SHA1

c1c3b90b1cf7541abd6bd9f098811c368078ed0b
SHA256

ba85db2614120d1e5b26b4c89847f219317a823bf1e3382cb379666677b0a8fe
SHA512

0e1dfb63dd23f508d6d82c89a62618071be5ba3b4b88b4645951c054b96c15ce7e9676976670147a720369f161d554d4af986749e4c3e12f73b1d2954c98a863
SSDEEP

24576:/DkUNi1EvGEW93Gtx1Lhrds4t+whW2ANQyj:/DkUrOEW9GLhds4tdUGs

Score

10^/10

redline sectoprat cheat infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

54.37.0.50:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2712-97-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2712-98-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2712-101-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2712-104-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2712-106-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2712-97-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2712-98-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2712-101-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2712-104-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2712-106-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Executes dropped EXE 3 IoCs

pid	Process
2232	PO.exe
2696	PO.exe
2712	PO.exe

Loads dropped DLL 6 IoCs

pid	Process
936	ORDER QUOTATION LIST.pdf.exe
936	ORDER QUOTATION LIST.pdf.exe
936	ORDER QUOTATION LIST.pdf.exe
936	ORDER QUOTATION LIST.pdf.exe
2232	PO.exe
2232	PO.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2712	2232	PO.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2232	PO.exe
2232	PO.exe
2804	powershell.exe
2712	PO.exe
2712	PO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	PO.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2712	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	DllHost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2232	936	ORDER QUOTATION LIST.pdf.exe	29
PID 936 wrote to memory of 2232	936	ORDER QUOTATION LIST.pdf.exe	29
PID 936 wrote to memory of 2232	936	ORDER QUOTATION LIST.pdf.exe	29
PID 936 wrote to memory of 2232	936	ORDER QUOTATION LIST.pdf.exe	29
PID 2232 wrote to memory of 2804	2232	PO.exe	32
PID 2232 wrote to memory of 2804	2232	PO.exe	32
PID 2232 wrote to memory of 2804	2232	PO.exe	32
PID 2232 wrote to memory of 2804	2232	PO.exe	32
PID 2232 wrote to memory of 2720	2232	PO.exe	34
PID 2232 wrote to memory of 2720	2232	PO.exe	34
PID 2232 wrote to memory of 2720	2232	PO.exe	34
PID 2232 wrote to memory of 2720	2232	PO.exe	34
PID 2232 wrote to memory of 2696	2232	PO.exe	36
PID 2232 wrote to memory of 2696	2232	PO.exe	36
PID 2232 wrote to memory of 2696	2232	PO.exe	36
PID 2232 wrote to memory of 2696	2232	PO.exe	36
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37
PID 2232 wrote to memory of 2712	2232	PO.exe	37

C:\Users\Admin\AppData\Local\Temp\ORDER QUOTATION LIST.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER QUOTATION LIST.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HkWvxrVQQbZ.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HkWvxrVQQbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFA0.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFA0.tmp

Filesize
1KB

MD5
9ef070bc7d014555ef872cb9138d0a22

SHA1
102d5e66302ef3dec5d94707bc13f4687e9f6865

SHA256
81f44df84bdd2c9175911518f64f805c35a7ec668a0e0ce436f6f812b2d4ae91

SHA512
8db2264b0dbdf8067407b91ac09025a8a1510236328bc2eb948a1f747693ca6cc25c516c00c25b3993f0b3a951fecdcb93981817934aef91b1192628e6d25cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF96.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFF9.tmp

Filesize
92KB

MD5
c82ded5238df07df6d7fc9b7e679d891

SHA1
0f94e7eaf237f798782ee3c9b325773f56223e16

SHA256
fa9ab279f70d44c87b81739869419f029fdf85c59952a8f51c181453250eb1c9

SHA512
9cc39ec7c5dae89cd6c22ba1356e0557cb0b6a524a2428afdb2bd21fdd8dd8d073d4707687f0a90c7756a4305220ce5ae7e8cdb248bfb7c8e30457fc5bfeb2b2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
memory/936-58-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/2232-76-0x0000000000C70000-0x0000000000D0E000-memory.dmp

Filesize
632KB

Download
memory/2232-75-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-83-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/2232-84-0x0000000005AF0000-0x0000000005B48000-memory.dmp

Filesize
352KB

Download
memory/2232-81-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-108-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-79-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/2232-78-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2232-82-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2712-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-115-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-95-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-106-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-195-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-107-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-116-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2712-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-113-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2804-112-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2804-110-0x000000006E0E0000-0x000000006E68B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-114-0x000000006E0E0000-0x000000006E68B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-111-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2804-109-0x000000006E0E0000-0x000000006E68B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-60-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3060-59-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/3060-80-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download