redline | 98012c9a8fe074b5514953c7cf7d70047a44bec639dda73d39d67283897465fb

General

Target

2b05bd5f01ec91055ec3235fe0308758.exe
Size

1.2MB
MD5

2b05bd5f01ec91055ec3235fe0308758
SHA1

8fed0199247388c88870e20b15581353f7dc2ba9
SHA256

98012c9a8fe074b5514953c7cf7d70047a44bec639dda73d39d67283897465fb
SHA512

b7e14c8406fd09cddab6cb06bdf72f5ba91c1bf9ad8e546198ce937da7554efe64ce43b1e7ba7da0487a2ba462de8be18cf68f712383a443ec733d599a354646
SSDEEP

24576:+SLXMkT/pY/feR4IQfPsNTpNOC4r2U+73ux3Sa:t8kBY/M+8N3adMU3Sa

Score

10^/10

redline sectoprat 12 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

12

C2

185.92.74.32:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1420-24-0x0000000000B70000-0x0000000000B90000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1420-24-0x0000000000B70000-0x0000000000B90000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2b05bd5f01ec91055ec3235fe0308758.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2b05bd5f01ec91055ec3235fe0308758.exe

Deletes itself 1 IoCs

Processes:

Pensieroso.exe.com

pid process

3800 Pensieroso.exe.com
Executes dropped EXE 3 IoCs

Processes:

Pensieroso.exe.comPensieroso.exe.comRegAsm.exe

pid process

4652 Pensieroso.exe.com
3800 Pensieroso.exe.com
1420 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Pensieroso.exe.com

description pid process target process

PID 3800 set thread context of 1420 3800 Pensieroso.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2080 PING.EXE

pid	process
4652	Pensieroso.exe.com
3800	Pensieroso.exe.com
1420	RegAsm.exe

description	pid	process	target process
PID 3800 set thread context of 1420	3800	Pensieroso.exe.com	RegAsm.exe

pid	process
2080	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Pensieroso.exe.comRegAsm.exe

pid	process
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
1420	RegAsm.exe
1420	RegAsm.exe
1420	RegAsm.exe
1420	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Pensieroso.exe.comPensieroso.exe.com

pid process

4652 Pensieroso.exe.com
4652 Pensieroso.exe.com
4652 Pensieroso.exe.com
3800 Pensieroso.exe.com
3800 Pensieroso.exe.com
3800 Pensieroso.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Pensieroso.exe.comPensieroso.exe.com

pid process

4652 Pensieroso.exe.com
4652 Pensieroso.exe.com
4652 Pensieroso.exe.com
3800 Pensieroso.exe.com
3800 Pensieroso.exe.com
3800 Pensieroso.exe.com

pid	process
4652	Pensieroso.exe.com
4652	Pensieroso.exe.com
4652	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com

pid	process
4652	Pensieroso.exe.com
4652	Pensieroso.exe.com
4652	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com
3800	Pensieroso.exe.com

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2b05bd5f01ec91055ec3235fe0308758.execmd.execmd.exePensieroso.exe.comPensieroso.exe.com

description	pid	process	target process
PID 3488 wrote to memory of 1596	3488	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 3488 wrote to memory of 1596	3488	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 3488 wrote to memory of 1596	3488	2b05bd5f01ec91055ec3235fe0308758.exe	dllhost.exe
PID 3488 wrote to memory of 5032	3488	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 3488 wrote to memory of 5032	3488	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 3488 wrote to memory of 5032	3488	2b05bd5f01ec91055ec3235fe0308758.exe	cmd.exe
PID 5032 wrote to memory of 1136	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 1136	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 1136	5032	cmd.exe	cmd.exe
PID 1136 wrote to memory of 3524	1136	cmd.exe	findstr.exe
PID 1136 wrote to memory of 3524	1136	cmd.exe	findstr.exe
PID 1136 wrote to memory of 3524	1136	cmd.exe	findstr.exe
PID 1136 wrote to memory of 4652	1136	cmd.exe	Pensieroso.exe.com
PID 1136 wrote to memory of 4652	1136	cmd.exe	Pensieroso.exe.com
PID 1136 wrote to memory of 4652	1136	cmd.exe	Pensieroso.exe.com
PID 1136 wrote to memory of 2080	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 2080	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 2080	1136	cmd.exe	PING.EXE
PID 4652 wrote to memory of 3800	4652	Pensieroso.exe.com	Pensieroso.exe.com
PID 4652 wrote to memory of 3800	4652	Pensieroso.exe.com	Pensieroso.exe.com
PID 4652 wrote to memory of 3800	4652	Pensieroso.exe.com	Pensieroso.exe.com
PID 3800 wrote to memory of 1420	3800	Pensieroso.exe.com	RegAsm.exe
PID 3800 wrote to memory of 1420	3800	Pensieroso.exe.com	RegAsm.exe
PID 3800 wrote to memory of 1420	3800	Pensieroso.exe.com	RegAsm.exe
PID 3800 wrote to memory of 1420	3800	Pensieroso.exe.com	RegAsm.exe
PID 3800 wrote to memory of 1420	3800	Pensieroso.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe
"C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Bastanza.swf
2⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CxmnNpDYRvUOsMXEkPvVjDrPNGESxTAYheweUTnNgSjNchNETUDzDmWZsJKiFLDXWWBfKVKssJHxdfxATZYAdixOywKl$" Vai.swf
4⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
Pensieroso.exe.com M
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com M
5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\SysWOW64\PING.EXE
ping NUPNSVML -n 30
4⤵
- Runs ping.exe
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bastanza.swf
Filesize
550B

MD5
91c1e2c3d91cb1c38948774853ad179c

SHA1
173ffff739657840dcb263dc2de8331cf7961caf

SHA256
59aaeaa576ba7eb6e705bea2fe5adc70cfcc578fd28a7d50c4d005d8f83c091a

SHA512
c0084eaf798e48348f218d53fcb31902f70d49d69aa99ffd351a46531fa2835afdc141f18b4511b6e91c2e83ec6bf30de55155117a1ca0c103921b82779e176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Buona.swf
Filesize
107KB

MD5
1cf05f985b0c9471f1a68152a3a36520

SHA1
6034a3d5014bc16caa580f00e65e2e2e91332714

SHA256
74815315e0a7be936b7317c90d205022525fc50735a22e60d5d218e64c6f0253

SHA512
109e70f5759ac7da59c8521d28dd1369f18b150fb8b5a3cba47e2c34fdfd109d378d477a57a19915e1e6594e4688fdfdf79014b93785399131f1b8d861890aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fino.swf
Filesize
1.3MB

MD5
b372a9eb306150c5b1ba16d8220185ab

SHA1
0b73f891a28a33e8acdaf290f6dc2efd7ff88621

SHA256
1f35b8d5a27ee8434a26c65483d4a46ebef32061ea7a39ae222305a34238a918

SHA512
bb64b540dfb9d60f0e03fa6d52328cb7cc8d6b91290c9f5cff91b3fefab79acb7516743a7b40181dd1009c6575614f2b7494082beae70c322c3ac22d61df22a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.swf
Filesize
872KB

MD5
e6f31cfa21a920ffd366dae49fb309cd

SHA1
08005a379ab88647a466ad0c2447ce2f6e712bf2

SHA256
fd0ffad0d6027db60588e145cba84a9374ce052f19502df4c95e0380ef893527

SHA512
14e9afbf7bf8f1e1053b4bb5cca389edbb5f4714febcb3fc2f6e87d9e2db010be78d3c1a6fae85110e1506ba79701013aed46a36ecc0dc929f68cc6e204b9ac1

Download Submit
memory/1420-24-0x0000000000B70000-0x0000000000B90000-memory.dmp

Filesize
128KB

Download
memory/1420-28-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1420-29-0x0000000005B90000-0x00000000061A8000-memory.dmp

Filesize
6.1MB

Download
memory/1420-30-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/1420-31-0x0000000005720000-0x000000000582A000-memory.dmp

Filesize
1.0MB

Download
memory/1420-32-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1420-33-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1420-34-0x0000000005690000-0x00000000056CC000-memory.dmp

Filesize
240KB

Download
memory/3800-22-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads