redline | 9f35d6f51c51ddf83bb8016e50070c9a80ad48c8b3ba79d5f1b32371698ec334

Analysis

max time kernel
145s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07e58a5952a99485fef430e3c8ae3acc.exe
Size

2.3MB
MD5

07e58a5952a99485fef430e3c8ae3acc
SHA1

34d544d918856b3961171b68390a11f44076dcbd
SHA256

9f35d6f51c51ddf83bb8016e50070c9a80ad48c8b3ba79d5f1b32371698ec334
SHA512

22d59a6ab877c2ab0b06b45348a0357789cd411ce2928430a62d0b8afd5f0f1ea21dcee5a392d986b71954c2ca5e9ef5b0c7a1f18dfcb0858c28eb3545576538
SSDEEP

49152:Q5+hF/WO/W53Xa2WGih8YhxEB3HXgSaPIMxQcnqXUZ1JVIxiz8lVHTIioOFZQ+R:Q5aF/WO/WhXzkhbfEerPIEQ2Z1JmxiqX

Score

10^/10

redline sectoprat @polireek infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@PoliReek

45.14.49.109:21295

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000192f9-82.dat	family_redline
behavioral1/memory/1700-85-0x00000000012E0000-0x00000000012FE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000192f9-82.dat	family_sectoprat
behavioral1/memory/1700-85-0x00000000012E0000-0x00000000012FE000-memory.dmp	family_sectoprat

Executes dropped EXE 10 IoCs

pid	Process
2716	7z.exe
2708	7z.exe
2828	7z.exe
2616	7z.exe
2064	7z.exe
2964	7z.exe
1184	7z.exe
572	7z.exe
2520	7z.exe
1700	build.exe

Loads dropped DLL 18 IoCs

pid	Process
2788	cmd.exe
2716	7z.exe
2788	cmd.exe
2708	7z.exe
2788	cmd.exe
2828	7z.exe
2788	cmd.exe
2616	7z.exe
2788	cmd.exe
2064	7z.exe
2788	cmd.exe
2964	7z.exe
2788	cmd.exe
1184	7z.exe
2788	cmd.exe
572	7z.exe
2788	cmd.exe
2520	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1700	build.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeRestorePrivilege	2716	7z.exe
Token: 35	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeRestorePrivilege	2708	7z.exe
Token: 35	2708	7z.exe
Token: SeSecurityPrivilege	2708	7z.exe
Token: SeSecurityPrivilege	2708	7z.exe
Token: SeRestorePrivilege	2828	7z.exe
Token: 35	2828	7z.exe
Token: SeSecurityPrivilege	2828	7z.exe
Token: SeSecurityPrivilege	2828	7z.exe
Token: SeRestorePrivilege	2616	7z.exe
Token: 35	2616	7z.exe
Token: SeSecurityPrivilege	2616	7z.exe
Token: SeSecurityPrivilege	2616	7z.exe
Token: SeRestorePrivilege	2064	7z.exe
Token: 35	2064	7z.exe
Token: SeSecurityPrivilege	2064	7z.exe
Token: SeSecurityPrivilege	2064	7z.exe
Token: SeRestorePrivilege	2964	7z.exe
Token: 35	2964	7z.exe
Token: SeSecurityPrivilege	2964	7z.exe
Token: SeSecurityPrivilege	2964	7z.exe
Token: SeRestorePrivilege	1184	7z.exe
Token: 35	1184	7z.exe
Token: SeSecurityPrivilege	1184	7z.exe
Token: SeSecurityPrivilege	1184	7z.exe
Token: SeRestorePrivilege	572	7z.exe
Token: 35	572	7z.exe
Token: SeSecurityPrivilege	572	7z.exe
Token: SeSecurityPrivilege	572	7z.exe
Token: SeRestorePrivilege	2520	7z.exe
Token: 35	2520	7z.exe
Token: SeSecurityPrivilege	2520	7z.exe
Token: SeSecurityPrivilege	2520	7z.exe
Token: SeDebugPrivilege	1700	build.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2788	1984	07e58a5952a99485fef430e3c8ae3acc.exe	28
PID 1984 wrote to memory of 2788	1984	07e58a5952a99485fef430e3c8ae3acc.exe	28
PID 1984 wrote to memory of 2788	1984	07e58a5952a99485fef430e3c8ae3acc.exe	28
PID 1984 wrote to memory of 2788	1984	07e58a5952a99485fef430e3c8ae3acc.exe	28
PID 2788 wrote to memory of 2780	2788	cmd.exe	30
PID 2788 wrote to memory of 2780	2788	cmd.exe	30
PID 2788 wrote to memory of 2780	2788	cmd.exe	30
PID 2788 wrote to memory of 2716	2788	cmd.exe	31
PID 2788 wrote to memory of 2716	2788	cmd.exe	31
PID 2788 wrote to memory of 2716	2788	cmd.exe	31
PID 2788 wrote to memory of 2708	2788	cmd.exe	32
PID 2788 wrote to memory of 2708	2788	cmd.exe	32
PID 2788 wrote to memory of 2708	2788	cmd.exe	32
PID 2788 wrote to memory of 2828	2788	cmd.exe	33
PID 2788 wrote to memory of 2828	2788	cmd.exe	33
PID 2788 wrote to memory of 2828	2788	cmd.exe	33
PID 2788 wrote to memory of 2616	2788	cmd.exe	34
PID 2788 wrote to memory of 2616	2788	cmd.exe	34
PID 2788 wrote to memory of 2616	2788	cmd.exe	34
PID 2788 wrote to memory of 2064	2788	cmd.exe	35
PID 2788 wrote to memory of 2064	2788	cmd.exe	35
PID 2788 wrote to memory of 2064	2788	cmd.exe	35
PID 2788 wrote to memory of 2964	2788	cmd.exe	36
PID 2788 wrote to memory of 2964	2788	cmd.exe	36
PID 2788 wrote to memory of 2964	2788	cmd.exe	36
PID 2788 wrote to memory of 1184	2788	cmd.exe	37
PID 2788 wrote to memory of 1184	2788	cmd.exe	37
PID 2788 wrote to memory of 1184	2788	cmd.exe	37
PID 2788 wrote to memory of 572	2788	cmd.exe	38
PID 2788 wrote to memory of 572	2788	cmd.exe	38
PID 2788 wrote to memory of 572	2788	cmd.exe	38
PID 2788 wrote to memory of 2520	2788	cmd.exe	39
PID 2788 wrote to memory of 2520	2788	cmd.exe	39
PID 2788 wrote to memory of 2520	2788	cmd.exe	39
PID 2788 wrote to memory of 1704	2788	cmd.exe	40
PID 2788 wrote to memory of 1704	2788	cmd.exe	40
PID 2788 wrote to memory of 1704	2788	cmd.exe	40
PID 2788 wrote to memory of 1700	2788	cmd.exe	41
PID 2788 wrote to memory of 1700	2788	cmd.exe	41
PID 2788 wrote to memory of 1700	2788	cmd.exe	41
PID 2788 wrote to memory of 1700	2788	cmd.exe	41

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\07e58a5952a99485fef430e3c8ae3acc.exe
"C:\Users\Admin\AppData\Local\Temp\07e58a5952a99485fef430e3c8ae3acc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e file.zip -p -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\system32\attrib.exe
    attrib +H "build.exe"""
    3⤵
    - Views/modifies file attributes
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
    "build.exe"""
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

Filesize
2.0MB

MD5
81f6eb9273b7bd8a96e7d94cf6df0d45

SHA1
2fb78f87055b0c0e63ab6a6d35dbb8f318f56efd

SHA256
29a6043455f4cf9296717abf8e323db5da512de55d485c7a15e5dc264b667284

SHA512
7af406effd26f84defda499955b9de975b8c75014c8d45e75c3cb2340ba38b2ea5224eb3a9df5c7c5d1d67b5d84b89d9d3f080b2b44ebf64101ceb14e58548c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe

Filesize
92KB

MD5
d0b677690e288de40d10140505e8dd72

SHA1
62ac1f43b91e59739b232ae764aaf9d7114ba0d6

SHA256
39105efbd7710c5e2bf80847c765de7971378b5f6a82dda3d3a6008b1f535a6d

SHA512
1e5baa7a78b4ee262dfe2e3e252aac93ba149990d11481f446c79fa5dd942100d2e65af58659a261c5a4fa0de0de8fb75132a72c4b9db240a7920f1f19061c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

Filesize
38KB

MD5
bfe2ddd05474a649821883a786daf3f2

SHA1
7c052df30e163e6de15efa64e588049efd982bb8

SHA256
22d59784192dd28017c67e46022855fbd51e556b3f817603677fc95e65ea2a5d

SHA512
d268234a95a2f0ee197768d0d76eacdbf31b61fbe1399dc3c5c8f42118e8f2bbd316f27ecfe6fb3979228cabaea798559f4b9884c1fde89825a1b19d4ad25fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

Filesize
38KB

MD5
2e50bedbd03d8618f4219518c836784c

SHA1
3ffffd73dd28ac316b328c1a74ae1cbef6e1fd2c

SHA256
da74ce5ad44bf42eab9c8c856a783319966d7bd61a03835a927c5d8966ecf19f

SHA512
bfb46ab3bc7376eba4a049fa44902ab4ca8a596024c12075885e3437279f903ef40cf60d76df08aa788f2285d4d556dbcc1c62bbb9401fe26b1ad37176fb471c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

Filesize
38KB

MD5
20cec54e3349eaf0d7e20ceeafeaffcb

SHA1
f1ae63dc7a86a9c589158cb9b1a16f69e508e842

SHA256
e73aed028f1bd5046f63b3d2eb7608092f63249cd4ea2793b04c2981a4d7da4e

SHA512
324ab9b1330aeaa1bfa67021d10b7cbd8345b69a7ced10aacfedeb6114e0203e43ab12fe0fd5a56900e9e3302a6daf3a81e41361d2b31f56b45729be61363106

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

Filesize
39KB

MD5
e3f068f31fb74e6d1fbc8552f5de852a

SHA1
2b8843c11c6e4d51d7b5835148a3b43e88d54ccc

SHA256
68ab63a7b4378380c457711998efc9ab8d396517d67ec70088f82a820445ddbe

SHA512
ab88525422c7f45470ca837b00547c06000bcf754f9ef73f1f4871682b8ae6cbb67fd2376852ad420b1028c9f2ac686a36a5c221c0631a954e6223e6bd38440d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

Filesize
39KB

MD5
bc3f17657e09a9eddd468aa6d6807029

SHA1
be629e3555402f9e38fb366df58cbc20ed297032

SHA256
3d1485c64f8bfdcccaa5a81c19ca8c415da84cff9ca0367a2cb3eed06c1d6448

SHA512
ede1f943df7a07d4ffedd1dccc7776d695652f7ac12e08eb08bd5e62f73bc304cd2c1317ddddb44e36c5c4f3d9426c88f6842931cc7b5fed4c6d182456a21b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip

Filesize
39KB

MD5
718a77759908a8ef9aabf821c93c7172

SHA1
4766ebca5762e90b921217c5144a68f3d895cc63

SHA256
d2de7d2e14835e7f2d42557cb09f1bd08ff8b650be773b5020e7359f669aaa54

SHA512
a10111c81b3400028d39b19dba467c225c7c89351f86ee2401ee8bbd1daea5830f9be35bd724ce5b9c65ac4385df30091b77ef89cd54782ff612b30b2afd5a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip

Filesize
39KB

MD5
ace01cab184ffea31c017924813f9429

SHA1
22db77481e19c0539c350e428051a90ea6033dbd

SHA256
1bbd82991aad474e5ac2196bcce7f56f4c6c57b8734d209a1349a0590eea07a6

SHA512
802da8611b50f66e54c501c57473f776fe0c52442c16bfe73531dbfd9b51a4b9170bad92ef38eb951157058b9818a59debf4ebdc3b9174d43ddc3641a19fdfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_8.zip

Filesize
1.5MB

MD5
6eaf8230e343b88d8487443d191a979e

SHA1
fb0da4f856b967392235e8963bfe3835786093e7

SHA256
8b5530fa2f319526114591dda031cbb97ada9964d84e21247cec5e999e7e860d

SHA512
d6a95e6aa60ef3a09cf8cb89b60c05eb6bd031b8d60b2b36daf3bb65c6b29bf826b178d192a29c58f8588e416df1d382c5df002b72f63630bc34f062b3c6f482

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

Filesize
1.5MB

MD5
4420b26a72251a7452931d50752edd9e

SHA1
8ae066180f37715383f3a0d1289a6c7e8f5ce313

SHA256
e42bb7e818eacaad92a112b3e0a64bc71fe08f438dd2e7816ce8169683d2ea89

SHA512
28534d676c69e5fdc71929d1308320673819cdcf659c4e9ab02c6e125359b94497791d264d2a090dfcc3b07199da233a3fc125f28ae2753dc62224b2e7c4b6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

Filesize
447B

MD5
20768c7c31e96dd488dda5534e0f498f

SHA1
c75439ae75e1668f57c904aa167c951fe70e28f8

SHA256
7f957b5db0105cd2b65f5b0f145bb1d113fd7bab2cce03f3f6d8395cf1fd39ba

SHA512
37fb2799497249c178fda4fedd5af7f16fd43aa409f6c82cf56e162cdb6cf5c2e7b417e78d53cdf04c8b181536a1b3c3345d0478501193c27dd2814506924a30

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1700-85-0x00000000012E0000-0x00000000012FE000-memory.dmp

Filesize
120KB

Download
memory/1700-86-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-87-0x0000000000F10000-0x0000000000F50000-memory.dmp

Filesize
256KB

Download
memory/1700-88-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-89-0x0000000000F10000-0x0000000000F50000-memory.dmp

Filesize
256KB

Download