redline | c99ef8b57dfc165a4b6a1e5db5ff1fabbd9582d7ede5c5a3c86f2933cab006a4

Analysis

max time kernel
22s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c85d0a5da2ae9fe759949a0feb70d3c.exe
Size

238KB
MD5

3c85d0a5da2ae9fe759949a0feb70d3c
SHA1

d9a876190138699a8f28318b05ee6012e6f14fad
SHA256

c99ef8b57dfc165a4b6a1e5db5ff1fabbd9582d7ede5c5a3c86f2933cab006a4
SHA512

81cde77d2dbd16e6e1b665be6ef75dc6a027a936e078a5c1a5fdbb7787465f1ac8c6ba7df6f642f9bf0de9f6725e8ca7783ad8b3df4b25a2818bc6f56e338c80
SSDEEP

6144:zeQhWVu/VUk7bVwmqMz8WHevNUKDdmUcy/Zf/enifLGsk9:zzwVu9UKZjzhNKDUUciXSsa

Score

10^/10

redline sectoprat infostealer rat trojan

Malware Config

Extracted

Family

redline

87.251.71.120:62788

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3900-36-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3900-36-0x0000000000400000-0x0000000000420000-memory.dmp	family_sectoprat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\3c85d0a5da2ae9fe759949a0feb70d3c.exe
"C:\Users\Admin\AppData\Local\Temp\3c85d0a5da2ae9fe759949a0feb70d3c.exe"
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\KymographsStamened.exe
  "C:\Users\Admin\AppData\Local\Temp\KymographsStamened.exe"
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\tbuild.exe
  "C:\Users\Admin\AppData\Local\Temp\tbuild.exe"
  2⤵
  PID:2848
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1296
    3⤵
    PID:116

C:\Users\Admin\AppData\Local\Temp\KymographsStamened.exe
C:\Users\Admin\AppData\Local\Temp\KymographsStamened.exe
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-0-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/2084-1-0x00007FF944EA0000-0x00007FF945961000-memory.dmp

Filesize
10.8MB

Download
memory/2084-27-0x00007FF944EA0000-0x00007FF945961000-memory.dmp

Filesize
10.8MB

Download
memory/2848-24-0x000000001BE10000-0x000000001BE72000-memory.dmp

Filesize
392KB

Download
memory/2848-29-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2848-58-0x00007FF941050000-0x00007FF9419F1000-memory.dmp

Filesize
9.6MB

Download
memory/2848-28-0x000000001BEA0000-0x000000001BEC0000-memory.dmp

Filesize
128KB

Download
memory/2848-32-0x00007FF941050000-0x00007FF9419F1000-memory.dmp

Filesize
9.6MB

Download
memory/2848-51-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2848-26-0x00007FF941050000-0x00007FF9419F1000-memory.dmp

Filesize
9.6MB

Download
memory/2848-50-0x00007FF941050000-0x00007FF9419F1000-memory.dmp

Filesize
9.6MB

Download
memory/3900-42-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/3900-44-0x00000000069B0000-0x0000000006FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3900-60-0x0000000005A90000-0x0000000005AA0000-memory.dmp

Filesize
64KB

Download
memory/3900-43-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/3900-46-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

Filesize
1.0MB

Download
memory/3900-48-0x0000000005D40000-0x0000000005D7C000-memory.dmp

Filesize
240KB

Download
memory/3900-47-0x0000000005A90000-0x0000000005AA0000-memory.dmp

Filesize
64KB

Download
memory/3900-49-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/3900-45-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/3900-59-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3900-41-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-35-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/4484-34-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-31-0x00000000057E0000-0x0000000005856000-memory.dmp

Filesize
472KB

Download
memory/4484-30-0x0000000000F80000-0x0000000000FDC000-memory.dmp

Filesize
368KB

Download
memory/4484-33-0x0000000005790000-0x00000000057AE000-memory.dmp

Filesize
120KB

Download
memory/4484-40-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download