redline | a455ea749bf2aa78f43ca6beb1fec983ca39b71e23ab8a951c6b3c0a23ae6b7c

General

Target

3fc9c1a56f30cf18e75f458ba4470cee.exe
Size

471KB
MD5

3fc9c1a56f30cf18e75f458ba4470cee
SHA1

4f79fa2f37e7c795a25b753df8c53b6d4cc46d28
SHA256

a455ea749bf2aa78f43ca6beb1fec983ca39b71e23ab8a951c6b3c0a23ae6b7c
SHA512

b3149d9a303c0260e0b1452d20c196bb94d8c7f3a44d6a4ed9870b015e61b33b45eada50646fc2c40784a15c0349dbd1475ac69a38160cb085a0a9c3aa0bc807
SSDEEP

6144:xYa0TXGrWVqIUgpXSRER+JTKasRLwnSmU2h0:xsX6KqpMXSER+JTHsRLwnSmUv

Score

10^/10

redline sectoprat lamborghini evasion infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

Lamborghini

C2

45.88.3.176:17033

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	3fc9c1a56f30cf18e75f458ba4470cee.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2872-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2872-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe = "0"	3fc9c1a56f30cf18e75f458ba4470cee.exe

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/files/0x0031000000015c7a-7.dat	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
2380	AdvancedRun.exe
2016	AdvancedRun.exe

Loads dropped DLL 4 IoCs

pid	Process
828	3fc9c1a56f30cf18e75f458ba4470cee.exe
828	3fc9c1a56f30cf18e75f458ba4470cee.exe
2380	AdvancedRun.exe
2380	AdvancedRun.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	3fc9c1a56f30cf18e75f458ba4470cee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	3fc9c1a56f30cf18e75f458ba4470cee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	3fc9c1a56f30cf18e75f458ba4470cee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	3fc9c1a56f30cf18e75f458ba4470cee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe = "0"	3fc9c1a56f30cf18e75f458ba4470cee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	3fc9c1a56f30cf18e75f458ba4470cee.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2380	AdvancedRun.exe
2380	AdvancedRun.exe
2016	AdvancedRun.exe
2016	AdvancedRun.exe
2852	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	AdvancedRun.exe
Token: SeImpersonatePrivilege	2380	AdvancedRun.exe
Token: SeDebugPrivilege	2016	AdvancedRun.exe
Token: SeImpersonatePrivilege	2016	AdvancedRun.exe
Token: SeDebugPrivilege	828	3fc9c1a56f30cf18e75f458ba4470cee.exe
Token: SeDebugPrivilege	2872	3fc9c1a56f30cf18e75f458ba4470cee.exe
Token: SeDebugPrivilege	2852	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2380	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	28
PID 828 wrote to memory of 2380	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	28
PID 828 wrote to memory of 2380	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	28
PID 828 wrote to memory of 2380	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	28
PID 2380 wrote to memory of 2016	2380	AdvancedRun.exe	29
PID 2380 wrote to memory of 2016	2380	AdvancedRun.exe	29
PID 2380 wrote to memory of 2016	2380	AdvancedRun.exe	29
PID 2380 wrote to memory of 2016	2380	AdvancedRun.exe	29
PID 828 wrote to memory of 2852	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	30
PID 828 wrote to memory of 2852	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	30
PID 828 wrote to memory of 2852	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	30
PID 828 wrote to memory of 2852	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	30
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32
PID 828 wrote to memory of 2872	828	3fc9c1a56f30cf18e75f458ba4470cee.exe	32

C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe
"C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\a5e9b854-d98d-4c74-a37c-19aa6f68f0fa\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\a5e9b854-d98d-4c74-a37c-19aa6f68f0fa\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a5e9b854-d98d-4c74-a37c-19aa6f68f0fa\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\a5e9b854-d98d-4c74-a37c-19aa6f68f0fa\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\a5e9b854-d98d-4c74-a37c-19aa6f68f0fa\AdvancedRun.exe" /SpecialRun 4101d8 2380
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe
  "C:\Users\Admin\AppData\Local\Temp\3fc9c1a56f30cf18e75f458ba4470cee.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\a5e9b854-d98d-4c74-a37c-19aa6f68f0fa\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/828-27-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/828-1-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/828-2-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/828-3-0x00000000021E0000-0x000000000224A000-memory.dmp

Filesize
424KB

Download
memory/828-0-0x0000000000B40000-0x0000000000BBC000-memory.dmp

Filesize
496KB

Download
memory/2852-39-0x0000000070C00000-0x00000000711AB000-memory.dmp

Filesize
5.7MB

Download
memory/2852-38-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2852-36-0x0000000070C00000-0x00000000711AB000-memory.dmp

Filesize
5.7MB

Download
memory/2852-35-0x0000000070C00000-0x00000000711AB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-32-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-37-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/2872-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-40-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-41-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads