redline | b6f0c3d53b93d35eff69c3ab8433189f87d2fc7bd94a09d8b0b69abee94cb301

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 14:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0x000c000000023117-105.exe
Size

95KB
MD5

854ff294f0a8549ed61ca06e100e55a7
SHA1

db0c534319c079e7c9f3c2b9a9fdeb7dfe61e6e7
SHA256

b6f0c3d53b93d35eff69c3ab8433189f87d2fc7bd94a09d8b0b69abee94cb301
SHA512

d81f614ecf98115b8646cc87c1f67738db836b0b5eeffdf789dca93057dc78a6803e3114217fb863773e914f734379acd3dc6c76541bba0b11f10cbe25a79420
SSDEEP

1536:Bqs+FRcqWClbG6jejoigI743Ywzi0Zb78ivombfexv0ujXyyed28tmulgS6pUl:veRclyY7+zi0ZbYe1g0ujyzdoU

Score

10^/10

redline sectoprat cashoutgang discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cashoutgang

4.229.227.81:33222

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/2964-1-0x0000000000EB0000-0x0000000000ECE000-memory.dmp	family_redline
behavioral1/memory/2964-2-0x0000000000A50000-0x0000000000A90000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2964-1-0x0000000000EB0000-0x0000000000ECE000-memory.dmp	family_sectoprat
behavioral1/memory/2964-2-0x0000000000A50000-0x0000000000A90000-memory.dmp	family_sectoprat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	0x000c000000023117-105.exe
2964	0x000c000000023117-105.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	0x000c000000023117-105.exe

C:\Users\Admin\AppData\Local\Temp\0x000c000000023117-105.exe
"C:\Users\Admin\AppData\Local\Temp\0x000c000000023117-105.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC286.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDA.tmp

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDB.tmp

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDC.tmp

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDD.tmp

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDE.tmp

Filesize
636KB

MD5
0bdd81238ff8fdd96b52e5caad9cc4a9

SHA1
ad536e0146f5c3c5df886f0a726e82bc274ea8c8

SHA256
dfc56468ab2f9af8d77eb14b0a9c3991d24929c00de1db480496a27bd0e8b70d

SHA512
9b22cde98e3dfa4f4db505f84d2052c459814c2fecceea079401bcff5563e99f604468bc35eb680684aa75a3f9dfecb25316fe58e4f9e67c3f1ea9767c2fc680

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE1E.tmp

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF2A.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF3F.tmp

Filesize
92KB

MD5
9de8f5c2b2916ab8ca2989f2fe8b3fe2

SHA1
64e7ec07d4d201ad2a5067be2e43429240394339

SHA256
ace3173e6cbc20b7b89aba8db456417a654e26147b9f0a97e8289147782324b8

SHA512
ba3bacb0e8639c763015791dc19411ccc1f3eaca807815988cafd8d4ebe7ced1e02daab55583df505bd42275589509e98c967466015afff5e9792ac74cb432f4

Download Submit
memory/2964-0-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-11-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/2964-10-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-2-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/2964-1-0x0000000000EB0000-0x0000000000ECE000-memory.dmp

Filesize
120KB

Download
memory/2964-133-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download