redline | 019960c087dbaca50dd404d594ba2735b146ed708b01de3290442872f6ec8fab

General

Target

1e77d802493fdc0dbe069b24d16af26b.exe
Size

2.3MB
MD5

1e77d802493fdc0dbe069b24d16af26b
SHA1

13dcdf0a5c135865f5154f7b6a7afdcbd44e18c7
SHA256

019960c087dbaca50dd404d594ba2735b146ed708b01de3290442872f6ec8fab
SHA512

ad17a897988717e4fa11bc263d7a7a02ba93b02db5e260c2306353bd77e15086d34f1a92d83f2a42cf7d8ec603f1b4147714e6df03597c9e4001ca03168ec9fc
SSDEEP

49152:M5+hFOYoKNA2AFktKu0+lVUkXFQ92sI9RzQNlWscseCxxiz8lVHTIioOFZQ+n:M5aFOWNA7ktZ7UkXK9dAuNlHc58xiqZr

Score

10^/10

redline sectoprat @lolajetyk infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@Lolajetyk

C2

45.14.49.109:21295

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/532-59-0x0000000000D70000-0x0000000000D8E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/532-59-0x0000000000D70000-0x0000000000D8E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	1e77d802493fdc0dbe069b24d16af26b.exe

Executes dropped EXE 8 IoCs

pid	Process
1408	7z.exe
2632	7z.exe
4316	7z.exe
2168	7z.exe
2092	7z.exe
484	7z.exe
4172	7z.exe
532	build.exe

Loads dropped DLL 7 IoCs

pid	Process
1408	7z.exe
2632	7z.exe
4316	7z.exe
2168	7z.exe
2092	7z.exe
484	7z.exe
4172	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	1408	7z.exe
Token: 35	1408	7z.exe
Token: SeSecurityPrivilege	1408	7z.exe
Token: SeSecurityPrivilege	1408	7z.exe
Token: SeRestorePrivilege	2632	7z.exe
Token: 35	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeRestorePrivilege	4316	7z.exe
Token: 35	4316	7z.exe
Token: SeSecurityPrivilege	4316	7z.exe
Token: SeSecurityPrivilege	4316	7z.exe
Token: SeRestorePrivilege	2168	7z.exe
Token: 35	2168	7z.exe
Token: SeSecurityPrivilege	2168	7z.exe
Token: SeSecurityPrivilege	2168	7z.exe
Token: SeRestorePrivilege	2092	7z.exe
Token: 35	2092	7z.exe
Token: SeSecurityPrivilege	2092	7z.exe
Token: SeSecurityPrivilege	2092	7z.exe
Token: SeRestorePrivilege	484	7z.exe
Token: 35	484	7z.exe
Token: SeSecurityPrivilege	484	7z.exe
Token: SeSecurityPrivilege	484	7z.exe
Token: SeRestorePrivilege	4172	7z.exe
Token: 35	4172	7z.exe
Token: SeSecurityPrivilege	4172	7z.exe
Token: SeSecurityPrivilege	4172	7z.exe
Token: SeDebugPrivilege	532	build.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2452	988	1e77d802493fdc0dbe069b24d16af26b.exe	93
PID 988 wrote to memory of 2452	988	1e77d802493fdc0dbe069b24d16af26b.exe	93
PID 2452 wrote to memory of 4604	2452	cmd.exe	95
PID 2452 wrote to memory of 4604	2452	cmd.exe	95
PID 2452 wrote to memory of 1408	2452	cmd.exe	96
PID 2452 wrote to memory of 1408	2452	cmd.exe	96
PID 2452 wrote to memory of 2632	2452	cmd.exe	106
PID 2452 wrote to memory of 2632	2452	cmd.exe	106
PID 2452 wrote to memory of 4316	2452	cmd.exe	105
PID 2452 wrote to memory of 4316	2452	cmd.exe	105
PID 2452 wrote to memory of 2168	2452	cmd.exe	104
PID 2452 wrote to memory of 2168	2452	cmd.exe	104
PID 2452 wrote to memory of 2092	2452	cmd.exe	101
PID 2452 wrote to memory of 2092	2452	cmd.exe	101
PID 2452 wrote to memory of 484	2452	cmd.exe	100
PID 2452 wrote to memory of 484	2452	cmd.exe	100
PID 2452 wrote to memory of 4172	2452	cmd.exe	99
PID 2452 wrote to memory of 4172	2452	cmd.exe	99
PID 2452 wrote to memory of 5048	2452	cmd.exe	97
PID 2452 wrote to memory of 5048	2452	cmd.exe	97
PID 2452 wrote to memory of 532	2452	cmd.exe	98
PID 2452 wrote to memory of 532	2452	cmd.exe	98
PID 2452 wrote to memory of 532	2452	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5048	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe
"C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4604
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e file.zip -p -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\system32\attrib.exe
    attrib +H "build.exe"""
    3⤵
    - Views/modifies file attributes
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
    "build.exe"""
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

Filesize
92KB

MD5
acffdc31f6d80f204375147644fd3437

SHA1
4ca721f135c4f31dfec93554c30d751a9cccca3d

SHA256
13a926262a6388325d8118a0eb15e425d91252262b8bd79f87c1f8a42bedb81f

SHA512
b30bde48bf91010ad5aaefb63ff800124df7734ac80b68a582943371c04db3c9b4e54bfe46e2675b05ce0e7a1ab625f554711d3cb0967e13f3fa443924a75237

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

Filesize
93KB

MD5
e678221ef4505c7a954691189ec632e6

SHA1
2ddcdbd19ec8fb4235362c23b4ea71248213224a

SHA256
117e40ce02ec885e75aae2dcd818f7844305cad65ceaec10f1ad4716155e6fc7

SHA512
3241d33071ea108f02c7d2eb99080104e06faca434aaf51fc2ea6d3219881a49f0419c8976f7bbc2e5d834f191837e8c8a170151f4acf24f805a1db71f39fa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

Filesize
447B

MD5
ab6da57610ec2d3c8d6f2e35f48178d3

SHA1
58cc1e7f0f4ceb22ac163738a0feeebfc56a6908

SHA256
7eb499c94cfc7c913fa2224866c65030888b793f3317fed143b11ab2d173cd2c

SHA512
c84502dedb64d87570da4faeb0eb8f9a9ed2d9656c1a3bc0f791dd0db1b723fc56e17f4f05b1584b45cd9cbb198927d4e636281cf923d69ab68f5f5e7cea9fa4

Download Submit
memory/532-62-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/532-61-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/532-59-0x0000000000D70000-0x0000000000D8E000-memory.dmp

Filesize
120KB

Download
memory/532-63-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/532-64-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/532-65-0x00000000057E0000-0x000000000582C000-memory.dmp

Filesize
304KB

Download
memory/532-60-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/532-66-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/532-67-0x0000000072FE0000-0x0000000073790000-memory.dmp

Filesize
7.7MB

Download
memory/532-68-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing