redline | 98012c9a8fe074b5514953c7cf7d70047a44bec639dda73d39d67283897465fb

General

Target

2b05bd5f01ec91055ec3235fe0308758.exe
Size

1.2MB
MD5

2b05bd5f01ec91055ec3235fe0308758
SHA1

8fed0199247388c88870e20b15581353f7dc2ba9
SHA256

98012c9a8fe074b5514953c7cf7d70047a44bec639dda73d39d67283897465fb
SHA512

b7e14c8406fd09cddab6cb06bdf72f5ba91c1bf9ad8e546198ce937da7554efe64ce43b1e7ba7da0487a2ba462de8be18cf68f712383a443ec733d599a354646
SSDEEP

24576:+SLXMkT/pY/feR4IQfPsNTpNOC4r2U+73ux3Sa:t8kBY/M+8N3adMU3Sa

Score

10^/10

redline sectoprat 12 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

12

C2

185.92.74.32:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2180-41-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/2180-45-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/2180-47-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2180-41-0x0000000000090000-0x00000000000B0000-memory.dmp	family_sectoprat
behavioral1/memory/2180-45-0x0000000000090000-0x00000000000B0000-memory.dmp	family_sectoprat
behavioral1/memory/2180-47-0x0000000000090000-0x00000000000B0000-memory.dmp	family_sectoprat

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2504 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Pensieroso.exe.comPensieroso.exe.comRegAsm.exe

pid process

1692 Pensieroso.exe.com
2972 Pensieroso.exe.com
2180 RegAsm.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exePensieroso.exe.comPensieroso.exe.comRegAsm.exe

pid process

1312 cmd.exe
1692 Pensieroso.exe.com
2972 Pensieroso.exe.com
2180 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Pensieroso.exe.com

description pid process target process

PID 2972 set thread context of 2180 2972 Pensieroso.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1212 PING.EXE

pid	process
2504	cmd.exe

pid	process
1692	Pensieroso.exe.com
2972	Pensieroso.exe.com
2180	RegAsm.exe

pid	process
1312	cmd.exe
1692	Pensieroso.exe.com
2972	Pensieroso.exe.com
2180	RegAsm.exe

description	pid	process	target process
PID 2972 set thread context of 2180	2972	Pensieroso.exe.com	RegAsm.exe

pid	process
1212	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Pensieroso.exe.comRegAsm.exe

pid	process
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2180	RegAsm.exe
2180	RegAsm.exe
2180	RegAsm.exe
2180	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Pensieroso.exe.comPensieroso.exe.com

pid process

1692 Pensieroso.exe.com
1692 Pensieroso.exe.com
1692 Pensieroso.exe.com
2972 Pensieroso.exe.com
2972 Pensieroso.exe.com
2972 Pensieroso.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Pensieroso.exe.comPensieroso.exe.com

pid process

1692 Pensieroso.exe.com
1692 Pensieroso.exe.com
1692 Pensieroso.exe.com
2972 Pensieroso.exe.com
2972 Pensieroso.exe.com
2972 Pensieroso.exe.com

pid	process
1692	Pensieroso.exe.com
1692	Pensieroso.exe.com
1692	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com

pid	process
1692	Pensieroso.exe.com
1692	Pensieroso.exe.com
1692	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com
2972	Pensieroso.exe.com

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

2b05bd5f01ec91055ec3235fe0308758.execmd.execmd.exePensieroso.exe.comPensieroso.exe.com

description	pid	process	target process
PID 2432 wrote to memory of 2060	2432	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 2432 wrote to memory of 2060	2432	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 2432 wrote to memory of 2060	2432	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 2432 wrote to memory of 2060	2432	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 2432 wrote to memory of 2072	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2432 wrote to memory of 2072	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2432 wrote to memory of 2072	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2432 wrote to memory of 2072	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2072 wrote to memory of 1312	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 1312	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 1312	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 1312	2072	cmd.exe	cmd.exe
PID 1312 wrote to memory of 832	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 832	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 832	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 832	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 1692	1312	cmd.exe	Pensieroso.exe.com
PID 1312 wrote to memory of 1692	1312	cmd.exe	Pensieroso.exe.com
PID 1312 wrote to memory of 1692	1312	cmd.exe	Pensieroso.exe.com
PID 1312 wrote to memory of 1692	1312	cmd.exe	Pensieroso.exe.com
PID 1312 wrote to memory of 1212	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1212	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1212	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1212	1312	cmd.exe	PING.EXE
PID 1692 wrote to memory of 2972	1692	Pensieroso.exe.com	Pensieroso.exe.com
PID 1692 wrote to memory of 2972	1692	Pensieroso.exe.com	Pensieroso.exe.com
PID 1692 wrote to memory of 2972	1692	Pensieroso.exe.com	Pensieroso.exe.com
PID 1692 wrote to memory of 2972	1692	Pensieroso.exe.com	Pensieroso.exe.com
PID 2432 wrote to memory of 2504	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2432 wrote to memory of 2504	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2432 wrote to memory of 2504	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2432 wrote to memory of 2504	2432	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe
PID 2972 wrote to memory of 2180	2972	Pensieroso.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe
"C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Bastanza.swf
2⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CxmnNpDYRvUOsMXEkPvVjDrPNGESxTAYheweUTnNgSjNchNETUDzDmWZsJKiFLDXWWBfKVKssJHxdfxATZYAdixOywKl$" Vai.swf
4⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
Pensieroso.exe.com M
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com M
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\Windows\SysWOW64\PING.EXE
ping QVMRJQQO -n 30
4⤵
- Runs ping.exe
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
- Deletes itself
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
236B

MD5
d230652b8a9841fceb5c88052bcac9ca

SHA1
9c7b5c4dfa5f8bfaf812b505ffaf6aa4a060eaea

SHA256
6f33f62e0e57d4c5f95a9c0c79c41d14cab893109e21a9b2e67a1b832fbd585b

SHA512
b703ba8cd89d5c2a339d1e3f2a2330045e040132efce12f55b1aa698727e5bcf6d223dd11fb38e85fcc1dbe21599dc073ad3fdb33c85776c4b06d28d8b0342c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bastanza.swf
Filesize
550B

MD5
91c1e2c3d91cb1c38948774853ad179c

SHA1
173ffff739657840dcb263dc2de8331cf7961caf

SHA256
59aaeaa576ba7eb6e705bea2fe5adc70cfcc578fd28a7d50c4d005d8f83c091a

SHA512
c0084eaf798e48348f218d53fcb31902f70d49d69aa99ffd351a46531fa2835afdc141f18b4511b6e91c2e83ec6bf30de55155117a1ca0c103921b82779e176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Buona.swf
Filesize
107KB

MD5
1cf05f985b0c9471f1a68152a3a36520

SHA1
6034a3d5014bc16caa580f00e65e2e2e91332714

SHA256
74815315e0a7be936b7317c90d205022525fc50735a22e60d5d218e64c6f0253

SHA512
109e70f5759ac7da59c8521d28dd1369f18b150fb8b5a3cba47e2c34fdfd109d378d477a57a19915e1e6594e4688fdfdf79014b93785399131f1b8d861890aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fino.swf
Filesize
1.3MB

MD5
b372a9eb306150c5b1ba16d8220185ab

SHA1
0b73f891a28a33e8acdaf290f6dc2efd7ff88621

SHA256
1f35b8d5a27ee8434a26c65483d4a46ebef32061ea7a39ae222305a34238a918

SHA512
bb64b540dfb9d60f0e03fa6d52328cb7cc8d6b91290c9f5cff91b3fefab79acb7516743a7b40181dd1009c6575614f2b7494082beae70c322c3ac22d61df22a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.swf
Filesize
872KB

MD5
e6f31cfa21a920ffd366dae49fb309cd

SHA1
08005a379ab88647a466ad0c2447ce2f6e712bf2

SHA256
fd0ffad0d6027db60588e145cba84a9374ce052f19502df4c95e0380ef893527

SHA512
14e9afbf7bf8f1e1053b4bb5cca389edbb5f4714febcb3fc2f6e87d9e2db010be78d3c1a6fae85110e1506ba79701013aed46a36ecc0dc929f68cc6e204b9ac1

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2180-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2180-38-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2180-41-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2180-45-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2180-47-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2972-34-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads