redline | 73dc45d12cbf0b6e8f2f6a439c7bf4da5b4ec51504690db81fee39adb0edd1b4

General

Target

25061f7c5f6cba19b00ba46c684bb5dd.exe
Size

1.2MB
MD5

25061f7c5f6cba19b00ba46c684bb5dd
SHA1

d313a669b26395b13e5197e186ba5a9dd79579ae
SHA256

73dc45d12cbf0b6e8f2f6a439c7bf4da5b4ec51504690db81fee39adb0edd1b4
SHA512

ef6dc57b5caf84b0914b790a7c599a0b567477a9a297f18b5895b8afefbb3697fb705d72d69b66faf26bfbc90497b4f7af921aaae8ab9fd659d50484e953dd70
SSDEEP

6144:sFxb4HalkX/5Okcxpny0mjn/db2xPGnDq3cUkxChx4ZfAb7nC0WEG05iTeBWT:wxbYcxpy0mjn/NC0MkxChx4S95dBWT

Score

10^/10

redline sectoprat ruzkii infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

ruzkii

C2

verecalina.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2844-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2844-12-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2844-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2844-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2844-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2844-23-0x0000000004E60000-0x0000000004EA0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2844-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2844-12-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2844-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2844-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2844-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2844-23-0x0000000004E60000-0x0000000004EA0000-memory.dmp	family_sectoprat
behavioral1/memory/2844-25-0x0000000004E60000-0x0000000004EA0000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	25061f7c5f6cba19b00ba46c684bb5dd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30
PID 2488 wrote to memory of 2844	2488	25061f7c5f6cba19b00ba46c684bb5dd.exe	30

C:\Users\Admin\AppData\Local\Temp\25061f7c5f6cba19b00ba46c684bb5dd.exe
"C:\Users\Admin\AppData\Local\Temp\25061f7c5f6cba19b00ba46c684bb5dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\25061f7c5f6cba19b00ba46c684bb5dd.exe
  "C:\Users\Admin\AppData\Local\Temp\25061f7c5f6cba19b00ba46c684bb5dd.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-19-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-2-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2488-1-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-3-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-4-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2488-5-0x0000000000A80000-0x0000000000AA2000-memory.dmp

Filesize
136KB

Download
memory/2488-0-0x00000000012B0000-0x00000000013EA000-memory.dmp

Filesize
1.2MB

Download
memory/2844-25-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2844-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2844-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2844-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2844-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2844-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2844-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2844-22-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-23-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2844-24-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing