redline | f1199e5b5953534ddbb788d136dd99e6c1d20698458afc9c01b70972b2b3b9af

General

Target

348ec113dac9d1ad8c37ed33efb9e98d.exe
Size

1013KB
MD5

348ec113dac9d1ad8c37ed33efb9e98d
SHA1

0155e7ee208657b1970d4d6e42d1f18096eb4fbe
SHA256

f1199e5b5953534ddbb788d136dd99e6c1d20698458afc9c01b70972b2b3b9af
SHA512

54fa4c4defecdd3b11a95600d4806d1be8350424f146dd82c929a398d44a5c962fd711566f454551eeb53c1bbfc8d74b8e175fe541fce0bcbf9ab06106296de8
SSDEEP

24576:cT3oblY5lxt9Yi/+eX+ZGfJglBBK2xfLT:cT3KlkxtaeOZGfJgDBK2tH

Score

10^/10

redline sectoprat 10 agilenet infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

10

C2

wemakeclay.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2608-20-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2608-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2608-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2608-12-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2608-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2608-20-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2608-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2608-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2608-12-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2608-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000AA0000-0x0000000000BA2000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

348ec113dac9d1ad8c37ed33efb9e98d.exe

description pid process target process

PID 2220 set thread context of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

348ec113dac9d1ad8c37ed33efb9e98d.exe

description pid process

Token: SeDebugPrivilege 2608 348ec113dac9d1ad8c37ed33efb9e98d.exe

description	pid	process	target process
PID 2220 set thread context of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe

description	pid	process
Token: SeDebugPrivilege	2608	348ec113dac9d1ad8c37ed33efb9e98d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

348ec113dac9d1ad8c37ed33efb9e98d.exe

description	pid	process	target process
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe
PID 2220 wrote to memory of 2608	2220	348ec113dac9d1ad8c37ed33efb9e98d.exe	348ec113dac9d1ad8c37ed33efb9e98d.exe

C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe
"C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe
"C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-21-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-4-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-0-0x0000000000AA0000-0x0000000000BA2000-memory.dmp

Filesize
1.0MB

Download
memory/2220-7-0x00000000006E0000-0x0000000000712000-memory.dmp

Filesize
200KB

Download
memory/2220-3-0x0000000000320000-0x0000000000338000-memory.dmp

Filesize
96KB

Download
memory/2220-5-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/2220-6-0x0000000008060000-0x00000000080FE000-memory.dmp

Filesize
632KB

Download
memory/2220-1-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/2608-23-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2608-22-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-24-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-25-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads