redline | 1224cdecf59f5e3198dbce3e1f0b3d53eab47d4291fcf4bd0ce517a88e280b10

General

Target

f8f5ea7b4dd40b42ab8937036b05391a.exe
Size

841KB
MD5

f8f5ea7b4dd40b42ab8937036b05391a
SHA1

c7d2e4d5269e4535792d1aedeef776c00a3dc08e
SHA256

1224cdecf59f5e3198dbce3e1f0b3d53eab47d4291fcf4bd0ce517a88e280b10
SHA512

30ba183d28edff25ed8568f93cd3c492eef5a54a1b25097c59d832dfce8f4d99a2bd84d76a743803be4b1ac3e44b960b8df5acea2e5b020fa1cdb978566021dc
SSDEEP

12288:N5tMjaV02iNv4sNuA76J+Q7p9DGfTMrE1u/4d6YO4pbytTS2uftGFUYlrr:D1V01usAA76JhTDoTMEMw6YOgyVS2f

Score

10^/10

redline sectoprat @ekzzz44 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@ekzzz44

C2

95.215.207.185:64399

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/2596-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-14-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-19-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-21-0x0000000004D30000-0x0000000004D70000-memory.dmp	family_redline
behavioral1/memory/2596-23-0x0000000004D30000-0x0000000004D70000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2596-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2596-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2596-14-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2596-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2596-19-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2596-21-0x0000000004D30000-0x0000000004D70000-memory.dmp	family_sectoprat
behavioral1/memory/2596-23-0x0000000004D30000-0x0000000004D70000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	f8f5ea7b4dd40b42ab8937036b05391a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30
PID 3032 wrote to memory of 2596	3032	f8f5ea7b4dd40b42ab8937036b05391a.exe	30

C:\Users\Admin\AppData\Local\Temp\f8f5ea7b4dd40b42ab8937036b05391a.exe
"C:\Users\Admin\AppData\Local\Temp\f8f5ea7b4dd40b42ab8937036b05391a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\f8f5ea7b4dd40b42ab8937036b05391a.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-23-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/2596-22-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-21-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/2596-20-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-7-0x0000000005DC0000-0x0000000005E28000-memory.dmp

Filesize
416KB

Download
memory/3032-17-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-0-0x0000000000F50000-0x0000000001028000-memory.dmp

Filesize
864KB

Download
memory/3032-6-0x0000000008160000-0x0000000008216000-memory.dmp

Filesize
728KB

Download
memory/3032-5-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/3032-4-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-3-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/3032-2-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing