Malware Analysis Report

2025-08-10 16:50

Sample ID 231225-pphyasbgfj
Target 1e77d802493fdc0dbe069b24d16af26b
SHA256 019960c087dbaca50dd404d594ba2735b146ed708b01de3290442872f6ec8fab
Tags
redline sectoprat @lolajetyk infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

019960c087dbaca50dd404d594ba2735b146ed708b01de3290442872f6ec8fab

Threat Level: Known bad

The file 1e77d802493fdc0dbe069b24d16af26b was found to be: Known bad.

Malicious Activity Summary

redline sectoprat @lolajetyk infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 12:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 12:30

Reported

2023-12-26 04:28

Platform

win7-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 12:30

Reported

2023-12-26 04:29

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 988 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe C:\Windows\system32\cmd.exe
PID 988 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe C:\Windows\system32\cmd.exe
PID 2452 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2452 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2452 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2452 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2452 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2452 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 2452 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 2452 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe

"C:\Users\Admin\AppData\Local\Temp\1e77d802493fdc0dbe069b24d16af26b.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p -oextracted

C:\Windows\system32\attrib.exe

attrib +H "build.exe"""

C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

"build.exe"""

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_6.zip -oextracted

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 ab6da57610ec2d3c8d6f2e35f48178d3
SHA1 58cc1e7f0f4ceb22ac163738a0feeebfc56a6908
SHA256 7eb499c94cfc7c913fa2224866c65030888b793f3317fed143b11ab2d173cd2c
SHA512 c84502dedb64d87570da4faeb0eb8f9a9ed2d9656c1a3bc0f791dd0db1b723fc56e17f4f05b1584b45cd9cbb198927d4e636281cf923d69ab68f5f5e7cea9fa4

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 e678221ef4505c7a954691189ec632e6
SHA1 2ddcdbd19ec8fb4235362c23b4ea71248213224a
SHA256 117e40ce02ec885e75aae2dcd818f7844305cad65ceaec10f1ad4716155e6fc7
SHA512 3241d33071ea108f02c7d2eb99080104e06faca434aaf51fc2ea6d3219881a49f0419c8976f7bbc2e5d834f191837e8c8a170151f4acf24f805a1db71f39fa54

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/532-60-0x0000000072FE0000-0x0000000073790000-memory.dmp

memory/532-59-0x0000000000D70000-0x0000000000D8E000-memory.dmp

memory/532-61-0x0000000005E00000-0x0000000006418000-memory.dmp

memory/532-62-0x0000000005730000-0x0000000005742000-memory.dmp

memory/532-63-0x0000000005790000-0x00000000057CC000-memory.dmp

memory/532-64-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/532-65-0x00000000057E0000-0x000000000582C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 acffdc31f6d80f204375147644fd3437
SHA1 4ca721f135c4f31dfec93554c30d751a9cccca3d
SHA256 13a926262a6388325d8118a0eb15e425d91252262b8bd79f87c1f8a42bedb81f
SHA512 b30bde48bf91010ad5aaefb63ff800124df7734ac80b68a582943371c04db3c9b4e54bfe46e2675b05ce0e7a1ab625f554711d3cb0967e13f3fa443924a75237

memory/532-66-0x0000000005A40000-0x0000000005B4A000-memory.dmp

memory/532-67-0x0000000072FE0000-0x0000000073790000-memory.dmp

memory/532-68-0x00000000057D0000-0x00000000057E0000-memory.dmp