redline | 7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f

General

Target

1ae71d2a00c2781136f0d041617131ad.exe
Size

4.6MB
MD5

1ae71d2a00c2781136f0d041617131ad
SHA1

ac45f06da190a8fbf7e5f4e9f7d9afdd941e7df6
SHA256

7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
SHA512

597ddab8dafc57121ac7b24f4517ae6c2bed20ff4563acfedb0c5f074188f1cae289d1a31a4b76ebd6ce14eeba5d309de1f79a26cf15e08eb93469989c640d91
SSDEEP

98304:P2fwb4rsly4guky5c4l0SsNL8eHNLqC0w9e+Zl/As4gXdu:swEsYM5OSsgAb/AVgX4

Score

10^/10

redline sectoprat @oxphoenix infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@OxPhOenix

C2

77.220.212.176:35752

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-14-0x0000000000990000-0x0000000000D12000-memory.dmp	family_sectoprat
behavioral1/memory/2172-13-0x0000000000990000-0x0000000000D12000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

Updater.exeBBvVfoqwceAQmZX.exe

pid process

2172 Updater.exe
2904 BBvVfoqwceAQmZX.exe
Loads dropped DLL 5 IoCs

Processes:

1ae71d2a00c2781136f0d041617131ad.exeWerFault.exe

pid process

1276 1ae71d2a00c2781136f0d041617131ad.exe
1276 1ae71d2a00c2781136f0d041617131ad.exe
1568 WerFault.exe
1568 WerFault.exe
1568 WerFault.exe

pid	process
1276	1ae71d2a00c2781136f0d041617131ad.exe
1276	1ae71d2a00c2781136f0d041617131ad.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

Updater.exe

pid	process
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe
2172	Updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1568 2904 WerFault.exe BBvVfoqwceAQmZX.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Updater.exe

description pid process

Token: SeDebugPrivilege 2172 Updater.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Updater.exe

pid process

2172 Updater.exe

pid	pid_target	process	target process
1568	2904	WerFault.exe	BBvVfoqwceAQmZX.exe

description	pid	process
Token: SeDebugPrivilege	2172	Updater.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1ae71d2a00c2781136f0d041617131ad.exeBBvVfoqwceAQmZX.exe

description	pid	process	target process
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2172	1276	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 1276 wrote to memory of 2904	1276	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe
PID 1276 wrote to memory of 2904	1276	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe
PID 1276 wrote to memory of 2904	1276	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe
PID 1276 wrote to memory of 2904	1276	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe
PID 2904 wrote to memory of 1568	2904	BBvVfoqwceAQmZX.exe	WerFault.exe
PID 2904 wrote to memory of 1568	2904	BBvVfoqwceAQmZX.exe	WerFault.exe
PID 2904 wrote to memory of 1568	2904	BBvVfoqwceAQmZX.exe	WerFault.exe
PID 2904 wrote to memory of 1568	2904	BBvVfoqwceAQmZX.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1ae71d2a00c2781136f0d041617131ad.exe
"C:\Users\Admin\AppData\Local\Temp\1ae71d2a00c2781136f0d041617131ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 224
3⤵
- Loads dropped DLL
- Program crash
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
Filesize
384KB

MD5
ebc52354012d3139f5bfe6b8d1853ca2

SHA1
a5f5aab1c08d901df25b200ed5ac5b0d63f0659b

SHA256
596fb6346d526df380c765e68f8c75f2939cd78949a1873d15bab63ed42d6c8a

SHA512
92c849d7fcdde84acd794b82e2a2aac17e95af52268e360f918d36e62ff2a0dce7805569d7982e20dd7a529915e7658368cbecabdf5551eabd5c1a6079f9c146

Download Submit
\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
1.1MB

MD5
73fb2d35e584c5b2a0bcee38de623547

SHA1
00112f9d61a13fbb6e2b5c74c3a7abcb09ff6b59

SHA256
ceada29a20a20983b6589bfbf4ff321f0bb3bbf692bdf90eab1ad441cc50eaff

SHA512
c3e956388816b6caa10f683d7973a0f6c1153c7abf005606d0b8381d85ea2a0beae0835ddd56524b52d54c9ab7b65d615a88100af6c4325ac88cfd66bad6f127

Download Submit
\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
Filesize
832KB

MD5
a59f8d9a10a046626c39164ff1acaabe

SHA1
851b85c80826cdcf0dec19492ec242c7f1263772

SHA256
46d53f7c8efd557ad1e58262f2905f2ebad341941ae1bfd34c0838294631ee75

SHA512
ab8a7ea3c167fbc5039886e83cb422a4f1f9f44e13a47c1deea86fc90adf20492e841a20a6b6e8ed538c02296804cf0c36eaa8692300ba58424a0d8054f4d6a9

Download Submit
memory/1276-5-0x00000000022E0000-0x0000000002662000-memory.dmp

Filesize
3.5MB

Download
memory/2172-2569-0x0000000005690000-0x00000000056D0000-memory.dmp

Filesize
256KB

Download
memory/2172-2568-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-16-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-14-0x0000000000990000-0x0000000000D12000-memory.dmp

Filesize
3.5MB

Download
memory/2172-13-0x0000000000990000-0x0000000000D12000-memory.dmp

Filesize
3.5MB

Download
memory/2172-605-0x0000000005690000-0x00000000056D0000-memory.dmp

Filesize
256KB

Download
memory/2904-886-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-872-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-838-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-842-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-848-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-852-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-858-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-862-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-868-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-874-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-880-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-882-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-827-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-888-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-884-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-878-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-876-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-832-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-870-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-866-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-864-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-860-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-856-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-854-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-850-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-846-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-844-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-840-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-836-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-834-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-830-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-828-0x0000000002910000-0x0000000002A21000-memory.dmp

Filesize
1.1MB

Download
memory/2904-15-0x0000000075B70000-0x0000000075BB7000-memory.dmp

Filesize
284KB

Download
memory/2904-12-0x0000000000400000-0x0000000000B75000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads