redline | ba85db2614120d1e5b26b4c89847f219317a823bf1e3382cb379666677b0a8fe

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ORDER QUOTATION LIST.pdf.exe
Size

837KB
MD5

00b7354438e3a2483c5c4e0c52d10f7e
SHA1

c1c3b90b1cf7541abd6bd9f098811c368078ed0b
SHA256

ba85db2614120d1e5b26b4c89847f219317a823bf1e3382cb379666677b0a8fe
SHA512

0e1dfb63dd23f508d6d82c89a62618071be5ba3b4b88b4645951c054b96c15ce7e9676976670147a720369f161d554d4af986749e4c3e12f73b1d2954c98a863
SSDEEP

24576:/DkUNi1EvGEW93Gtx1Lhrds4t+whW2ANQyj:/DkUrOEW9GLhds4tdUGs

Score

10^/10

redline sectoprat cheat infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

54.37.0.50:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1204-95-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1204-96-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1204-99-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1204-105-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1204-103-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1204-95-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1204-96-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1204-99-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1204-105-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1204-103-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

pid	Process
2860	PO.exe
1204	PO.exe

Loads dropped DLL 5 IoCs

pid	Process
2632	ORDER QUOTATION LIST.pdf.exe
2632	ORDER QUOTATION LIST.pdf.exe
2632	ORDER QUOTATION LIST.pdf.exe
2632	ORDER QUOTATION LIST.pdf.exe
2860	PO.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 1204	2860	PO.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
992	powershell.exe
1204	PO.exe
1204	PO.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1204	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	DllHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2860	2632	ORDER QUOTATION LIST.pdf.exe	29
PID 2632 wrote to memory of 2860	2632	ORDER QUOTATION LIST.pdf.exe	29
PID 2632 wrote to memory of 2860	2632	ORDER QUOTATION LIST.pdf.exe	29
PID 2632 wrote to memory of 2860	2632	ORDER QUOTATION LIST.pdf.exe	29
PID 2860 wrote to memory of 992	2860	PO.exe	32
PID 2860 wrote to memory of 992	2860	PO.exe	32
PID 2860 wrote to memory of 992	2860	PO.exe	32
PID 2860 wrote to memory of 992	2860	PO.exe	32
PID 2860 wrote to memory of 928	2860	PO.exe	34
PID 2860 wrote to memory of 928	2860	PO.exe	34
PID 2860 wrote to memory of 928	2860	PO.exe	34
PID 2860 wrote to memory of 928	2860	PO.exe	34
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36
PID 2860 wrote to memory of 1204	2860	PO.exe	36

C:\Users\Admin\AppData\Local\Temp\ORDER QUOTATION LIST.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER QUOTATION LIST.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HkWvxrVQQbZ.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HkWvxrVQQbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp317C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp317C.tmp

Filesize
1KB

MD5
3c5b5c9d96f8fae6d970f08f8d5e3ad0

SHA1
2150d89913e048d06fa7d2462eae557f9c38526b

SHA256
d08142860f67f8b35edab2b3afe467d458e1a85ab330d3ba468813a3dc104f4c

SHA512
018352279ae891aded205594beb8c8257568c1f25475516fb0352fafe3ef7c6f32000439abf71e7b20ce818a269dbc00bbf7bb3266c3798bf77633a224218509

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A49.tmp

Filesize
92KB

MD5
9fa32c90b927a01aea398567a3227b98

SHA1
2ff56ad2f84bba84afb63632d1df7390a8a17274

SHA256
c6e4fd90ce6cf6cd8e9d437cc4ae5030d160e4419447499db71546f46f430c06

SHA512
1a96e3e0bc0e72c0fe2d18df62f7b2a181a51fc57bf9cfaf4b52722167b91cabf880856758316f791a80f8203bcf31e2d8fb1d88af4d757b091573cf6ea557b7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
610KB

MD5
81d739547e9078bf560fa65f7302bb06

SHA1
798f837ee8c948e2762866450527802e3601d6f9

SHA256
07585439575758b5305c9f39f6eadcd952e68a9b88effb17eeb66ed835fb0f03

SHA512
292454f5b212c99f785715983fe966f499143d15c070c4eec2f18da75608c42770abe711126414c70e68fd3c228d0dd3d529231c8dc92ebaa39f5f77e50adc8e

Download Submit
memory/992-113-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/992-112-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/992-110-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/992-109-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/992-111-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/992-115-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1204-108-0x0000000072F00000-0x00000000735EE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-204-0x0000000072F00000-0x00000000735EE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-116-0x0000000072F00000-0x00000000735EE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-93-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1204-95-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1204-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1204-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1204-99-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1204-114-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/1204-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1204-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2068-80-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2068-59-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2068-60-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2632-58-0x0000000000F00000-0x0000000000F02000-memory.dmp

Filesize
8KB

Download
memory/2860-79-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2860-78-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2860-76-0x00000000735F0000-0x0000000073CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2860-82-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2860-75-0x0000000000D20000-0x0000000000DBE000-memory.dmp

Filesize
632KB

Download
memory/2860-101-0x00000000735F0000-0x0000000073CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2860-81-0x00000000735F0000-0x0000000073CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2860-84-0x0000000004F30000-0x0000000004F88000-memory.dmp

Filesize
352KB

Download
memory/2860-83-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download