redline | 7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f

General

Target

1ae71d2a00c2781136f0d041617131ad.exe
Size

4.6MB
MD5

1ae71d2a00c2781136f0d041617131ad
SHA1

ac45f06da190a8fbf7e5f4e9f7d9afdd941e7df6
SHA256

7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
SHA512

597ddab8dafc57121ac7b24f4517ae6c2bed20ff4563acfedb0c5f074188f1cae289d1a31a4b76ebd6ce14eeba5d309de1f79a26cf15e08eb93469989c640d91
SSDEEP

98304:P2fwb4rsly4guky5c4l0SsNL8eHNLqC0w9e+Zl/As4gXdu:swEsYM5OSsgAb/AVgX4

Score

10^/10

redline sectoprat @oxphoenix infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@OxPhOenix

C2

77.220.212.176:35752

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4308-10-0x00000000006E0000-0x0000000000A62000-memory.dmp	family_sectoprat
behavioral2/memory/4308-11-0x00000000006E0000-0x0000000000A62000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

Updater.exeBBvVfoqwceAQmZX.exe

pid process

4308 Updater.exe
1992 BBvVfoqwceAQmZX.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

Updater.exe

pid	process
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe
4308	Updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3588 1992 WerFault.exe BBvVfoqwceAQmZX.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Updater.exe

description pid process

Token: SeDebugPrivilege 4308 Updater.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Updater.exe

pid process

4308 Updater.exe

pid	pid_target	process	target process
3588	1992	WerFault.exe	BBvVfoqwceAQmZX.exe

description	pid	process
Token: SeDebugPrivilege	4308	Updater.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1ae71d2a00c2781136f0d041617131ad.exe

description	pid	process	target process
PID 5056 wrote to memory of 4308	5056	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 5056 wrote to memory of 4308	5056	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 5056 wrote to memory of 4308	5056	1ae71d2a00c2781136f0d041617131ad.exe	Updater.exe
PID 5056 wrote to memory of 1992	5056	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe
PID 5056 wrote to memory of 1992	5056	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe
PID 5056 wrote to memory of 1992	5056	1ae71d2a00c2781136f0d041617131ad.exe	BBvVfoqwceAQmZX.exe

C:\Users\Admin\AppData\Local\Temp\1ae71d2a00c2781136f0d041617131ad.exe
"C:\Users\Admin\AppData\Local\Temp\1ae71d2a00c2781136f0d041617131ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 580
3⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1992 -ip 1992
1⤵
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
1.1MB

MD5
73fb2d35e584c5b2a0bcee38de623547

SHA1
00112f9d61a13fbb6e2b5c74c3a7abcb09ff6b59

SHA256
ceada29a20a20983b6589bfbf4ff321f0bb3bbf692bdf90eab1ad441cc50eaff

SHA512
c3e956388816b6caa10f683d7973a0f6c1153c7abf005606d0b8381d85ea2a0beae0835ddd56524b52d54c9ab7b65d615a88100af6c4325ac88cfd66bad6f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
64KB

MD5
e1b10421e37790a425dbc98bbeb4cd64

SHA1
fd823ac83bd443aaf723e02f7e8834c0650fc351

SHA256
6b24fa37cb2153e9f0d745b116c4f053028e9243dee09d4241fa4d17d388d7dc

SHA512
9148c0b7054a4c84ab288544edb401f4d96fd48dd4b8080da6657241738cbd7ec4d5d6413a7524b1ededdaedb77f0227c29d547917a9bb5fed22ea9f6dc6afa4

Download Submit
C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
Filesize
512KB

MD5
f2df4b4d30c5551c23c002d850e4a728

SHA1
13c32a5189d7f7b239b2e63e7dca563224e0128d

SHA256
50985f3dfcd25839f64d580298dd08d3047d9129fa3c0fc6e56976cbc1d453ef

SHA512
5f251b254f74bd1e94f902359052813e2596079a540ea7ec29533940afb651a011eed501180b419128012629285ce54f73579980898ec9612cdf03a473f684fe

Download Submit
C:\Users\Admin\AppData\Roaming\BBvVfoqwceAQmZX.exe
Filesize
384KB

MD5
ebc52354012d3139f5bfe6b8d1853ca2

SHA1
a5f5aab1c08d901df25b200ed5ac5b0d63f0659b

SHA256
596fb6346d526df380c765e68f8c75f2939cd78949a1873d15bab63ed42d6c8a

SHA512
92c849d7fcdde84acd794b82e2a2aac17e95af52268e360f918d36e62ff2a0dce7805569d7982e20dd7a529915e7658368cbecabdf5551eabd5c1a6079f9c146

Download Submit
memory/1992-14-0x0000000076240000-0x0000000076455000-memory.dmp

Filesize
2.1MB

Download
memory/1992-8-0x0000000000400000-0x0000000000B75000-memory.dmp

Filesize
7.5MB

Download
memory/1992-3893-0x0000000000400000-0x0000000000B75000-memory.dmp

Filesize
7.5MB

Download
memory/4308-69-0x0000000005D70000-0x0000000005D82000-memory.dmp

Filesize
72KB

Download
memory/4308-12-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-13-0x00000000062E0000-0x00000000068F8000-memory.dmp

Filesize
6.1MB

Download
memory/4308-4-0x00000000006E0000-0x0000000000A62000-memory.dmp

Filesize
3.5MB

Download
memory/4308-11-0x00000000006E0000-0x0000000000A62000-memory.dmp

Filesize
3.5MB

Download
memory/4308-74-0x0000000005DD0000-0x0000000005E0C000-memory.dmp

Filesize
240KB

Download
memory/4308-219-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/4308-218-0x0000000005F10000-0x0000000005F20000-memory.dmp

Filesize
64KB

Download
memory/4308-525-0x0000000006070000-0x000000000617A000-memory.dmp

Filesize
1.0MB

Download
memory/4308-10-0x00000000006E0000-0x0000000000A62000-memory.dmp

Filesize
3.5MB

Download
memory/4308-3895-0x00000000006E0000-0x0000000000A62000-memory.dmp

Filesize
3.5MB

Download
memory/4308-3897-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-3898-0x0000000005F10000-0x0000000005F20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads