redline | 8c827810f02e75f07007ed562147c79d8c4cc1ed448d365b3a198a4f318cfa0f

General

Target

001919e17b2e2fee7b74dd6058658047.exe
Size

370KB
MD5

001919e17b2e2fee7b74dd6058658047
SHA1

482f4e7165e97eee550f12d2ba5e48f407580172
SHA256

8c827810f02e75f07007ed562147c79d8c4cc1ed448d365b3a198a4f318cfa0f
SHA512

81906315de87b82a1d8e0de59556cb1d5a2e0c4fa4547ef2827bf96a0a99e0b41469d0ca9d62f405af7243b8d1745370c52838363a9389584e9e7cb8200960eb
SSDEEP

6144:g6M4Ry8+IWoa+eEuBCPBMCmi/3dz3OBE7Caok+ceM:pM4EDIWoa+eEuBCPBMCmi/3dz3OBE7Cn

Score

10^/10

redline sectoprat sel22 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

sel22

C2

salkefard.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2832-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2832-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2832-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2832-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2832-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2832-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2832-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2832-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2832-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2832-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2832-16-0x0000000000AF0000-0x0000000000B30000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

001919e17b2e2fee7b74dd6058658047.exe

description pid process target process

PID 2360 set thread context of 2832 2360 001919e17b2e2fee7b74dd6058658047.exe 001919e17b2e2fee7b74dd6058658047.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

001919e17b2e2fee7b74dd6058658047.exe

description pid process

Token: SeDebugPrivilege 2832 001919e17b2e2fee7b74dd6058658047.exe

description	pid	process	target process
PID 2360 set thread context of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe

description	pid	process
Token: SeDebugPrivilege	2832	001919e17b2e2fee7b74dd6058658047.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

001919e17b2e2fee7b74dd6058658047.exe

description	pid	process	target process
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe
PID 2360 wrote to memory of 2832	2360	001919e17b2e2fee7b74dd6058658047.exe	001919e17b2e2fee7b74dd6058658047.exe

C:\Users\Admin\AppData\Local\Temp\001919e17b2e2fee7b74dd6058658047.exe
"C:\Users\Admin\AppData\Local\Temp\001919e17b2e2fee7b74dd6058658047.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\001919e17b2e2fee7b74dd6058658047.exe
C:\Users\Admin\AppData\Local\Temp\001919e17b2e2fee7b74dd6058658047.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-1-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2360-0-0x0000000000D40000-0x0000000000DA2000-memory.dmp

Filesize
392KB

Download
memory/2360-2-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/2360-15-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-14-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-16-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/2832-17-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-18-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads