redline | fa85c2dd434176da1bb226c0f3ecfcc4109bea4f9a7b6317eb7a97f29724d4c9

General

Target

35cfccf5d14427f7c804312acf914ac2.exe
Size

202KB
MD5

35cfccf5d14427f7c804312acf914ac2
SHA1

53474d5b1217b29c4eafcc0d60da60e1a4600cc7
SHA256

fa85c2dd434176da1bb226c0f3ecfcc4109bea4f9a7b6317eb7a97f29724d4c9
SHA512

10cd1319705aa3f857c32896bbe2924ce7cb91537b5289c95daacba8277eb9802d3ea37559a8db9ca7dfb2c1059dcaa5d74a2b8ccad695ea2c2baf3a1c1e68d2
SSDEEP

6144:ZPaSTDWB7wuh9suT7wxRxfsCJe0YDJfqn+:ZPaSUwuhB7UxfFoDJfq

Score

10^/10

redline sectoprat @vertebrae7 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@vertebrae7

C2

45.81.227.32:22625

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2212-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2212-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2212-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2212-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2212-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2212-22-0x0000000004B00000-0x0000000004B40000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2212-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2212-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2212-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2212-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2212-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2212-22-0x0000000004B00000-0x0000000004B40000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	35cfccf5d14427f7c804312acf914ac2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28
PID 1052 wrote to memory of 2212	1052	35cfccf5d14427f7c804312acf914ac2.exe	28

C:\Users\Admin\AppData\Local\Temp\35cfccf5d14427f7c804312acf914ac2.exe
"C:\Users\Admin\AppData\Local\Temp\35cfccf5d14427f7c804312acf914ac2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\35cfccf5d14427f7c804312acf914ac2.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-0-0x0000000000F30000-0x0000000000F6C000-memory.dmp

Filesize
240KB

Download
memory/1052-1-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-2-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/1052-3-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/1052-4-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/1052-5-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1052-6-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/1052-18-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2212-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-19-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-20-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/2212-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-21-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-22-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing