redline | bcb380255f3dad767bbf18e7268dafcfbb70bb1934736eb172488b445975ba83

General

Target

01bf86b5caf867e70f0c6fb148125a5a.exe
Size

1.1MB
MD5

01bf86b5caf867e70f0c6fb148125a5a
SHA1

3cded8fd741f886845f9f3093b6651203daa0522
SHA256

bcb380255f3dad767bbf18e7268dafcfbb70bb1934736eb172488b445975ba83
SHA512

7138741b13cc8eeaf46bfa8dde9f483439a3def3862aa47aafb590b47eb5b2fd14786f7edcc66ae2d154219427c22f3d4966a31418135f2c4819ecd48ee818ab
SSDEEP

24576:b/YMs9GEi5T5VFagmiuly8jjRUQoMmJB:b/mi9foguYQoMQ

Score

10^/10

redline sectoprat test1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

test1

C2

xoyuluilsh.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1584-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1584-19-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1584-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1584-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1584-26-0x0000000004F10000-0x0000000004F50000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1584-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1584-19-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1584-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1584-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1584-26-0x0000000004F10000-0x0000000004F50000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

01bf86b5caf867e70f0c6fb148125a5a.exe

description pid process target process

PID 3036 set thread context of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

01bf86b5caf867e70f0c6fb148125a5a.exe

description pid process

Token: SeDebugPrivilege 1584 01bf86b5caf867e70f0c6fb148125a5a.exe

description	pid	process	target process
PID 3036 set thread context of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe

description	pid	process
Token: SeDebugPrivilege	1584	01bf86b5caf867e70f0c6fb148125a5a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

01bf86b5caf867e70f0c6fb148125a5a.exe

description	pid	process	target process
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe
PID 3036 wrote to memory of 1584	3036	01bf86b5caf867e70f0c6fb148125a5a.exe	01bf86b5caf867e70f0c6fb148125a5a.exe

C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe
"C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe
"C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1584-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-27-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1584-26-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/1584-25-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1584-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-28-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/1584-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3036-2-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/3036-8-0x00000000009F0000-0x0000000000A16000-memory.dmp

Filesize
152KB

Download
memory/3036-1-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-0-0x0000000000E30000-0x0000000000F56000-memory.dmp

Filesize
1.1MB

Download
memory/3036-23-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-7-0x0000000005C10000-0x0000000005C7C000-memory.dmp

Filesize
432KB

Download
memory/3036-6-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/3036-5-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-3-0x0000000004C90000-0x0000000004D0C000-memory.dmp

Filesize
496KB

Download
memory/3036-4-0x0000000000850000-0x0000000000876000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads