redline | f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be

Analysis

max time kernel
2s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe
Size

5.5MB
MD5

0a313a73aac1905c6ef571c4e700554a
SHA1

7f2e2d4656ae4a5e6015c51184e19ef26510fb12
SHA256

f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
SHA512

b8323f01a915c1e28d9926a07518c798546ab12aa8d8c1038c9f18973beab78fda972aaea1b7a0814b6c3efa0847ee2f89ccc3abfa8bcc239eb12a36a069b576
SSDEEP

98304:xorRBQQyUroZi+nTf55/2UJ70UsjVk+io3McLpN3SQXB/uz7h4sWsjFe5qx:xorR3rETfjB70Ush9io3MeDOl4sW8+qx

Score

10^/10

redline sectoprat vidar 706 pab777 infostealer rat stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.3

Botnet

706

https://lenko349.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pab777

185.215.113.15:6043

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/2068-198-0x0000000001E20000-0x0000000001E46000-memory.dmp	family_redline
behavioral1/memory/2068-206-0x00000000024E0000-0x0000000002504000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2068-198-0x0000000001E20000-0x0000000001E46000-memory.dmp	family_sectoprat
behavioral1/memory/2068-206-0x00000000024E0000-0x0000000002504000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/776-185-0x0000000003B30000-0x0000000003C03000-memory.dmp	family_vidar
behavioral1/memory/776-187-0x0000000000400000-0x00000000021D9000-memory.dmp	family_vidar

Executes dropped EXE 1 IoCs

pid	Process
2840	setup_install.exe

Loads dropped DLL 10 IoCs

pid	Process
2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe
2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe
2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe
2840	setup_install.exe
2840	setup_install.exe
2840	setup_install.exe
2840	setup_install.exe
2840	setup_install.exe
2840	setup_install.exe
2840	setup_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2040	1132	WerFault.exe
1008	776	WerFault.exe	40

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61
PID 2856 wrote to memory of 2840	2856	f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe	61

C:\Users\Admin\AppData\Local\Temp\f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe
"C:\Users\Admin\AppData\Local\Temp\f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\7zS82B2FE16\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS82B2FE16\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2840

C:\Users\Admin\AppData\Local\Temp\e6e22792e2586e.exe
C:\Users\Admin\AppData\Local\Temp\e6e22792e2586e.exe
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\setup_install.exe"
  2⤵
  PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:1872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed1785e69fa9997.exe
1⤵
PID:2908
- C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed1785e69fa9997.exe
  Wed1785e69fa9997.exe
  2⤵
  PID:588

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed1723a697f7.exe
Wed1723a697f7.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffApp2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffApp2.exe"
  2⤵
  PID:1540

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed171b4c251d7.exe
Wed171b4c251d7.exe
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\is-BMN6I.tmp\Wed1714d285085.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BMN6I.tmp\Wed1714d285085.tmp" /SL5="$201E4,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed1714d285085.exe"
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed17f15b7389c9ebf74.exe
Wed17f15b7389c9ebf74.exe
1⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed17dff1d3c799e.exe
Wed17dff1d3c799e.exe
1⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed1714d285085.exe
Wed1714d285085.exe
1⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed17d4eac5c83e204dc.exe
Wed17d4eac5c83e204dc.exe
1⤵
PID:776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 948
  2⤵
  - Program crash
  PID:1008

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed17f6f9bbb339c2.exe
"C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed17f6f9bbb339c2.exe" -u
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed1744842952dc03a.exe
Wed1744842952dc03a.exe
1⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\7zS41B70E16\Wed17f6f9bbb339c2.exe
Wed17f6f9bbb339c2.exe
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 436
1⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed1744842952dc03a.exe
1⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed17dff1d3c799e.exe
1⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed17f15b7389c9ebf74.exe
1⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed1714d285085.exe
1⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed17d4eac5c83e204dc.exe
1⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed1723a697f7.exe
1⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed171b4c251d7.exe
1⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed17f6f9bbb339c2.exe
1⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e6e22792e2586e.exe
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-185-0x0000000003B30000-0x0000000003C03000-memory.dmp

Filesize
844KB

Download
memory/776-284-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/776-272-0x0000000000400000-0x00000000021D9000-memory.dmp

Filesize
29.8MB

Download
memory/776-187-0x0000000000400000-0x00000000021D9000-memory.dmp

Filesize
29.8MB

Download
memory/776-184-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/1132-271-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-114-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1132-122-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1132-112-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1132-121-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1132-264-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1132-265-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1132-268-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1132-266-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1132-99-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1132-115-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1132-117-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-118-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1132-270-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1132-120-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1132-110-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1132-113-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1540-295-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-191-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-186-0x0000000000B90000-0x0000000000BAA000-memory.dmp

Filesize
104KB

Download
memory/1540-197-0x000000001BEA0000-0x000000001BF20000-memory.dmp

Filesize
512KB

Download
memory/1540-298-0x000000001BEA0000-0x000000001BF20000-memory.dmp

Filesize
512KB

Download
memory/2052-263-0x0000000072D60000-0x000000007330B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-193-0x0000000072D60000-0x000000007330B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-196-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2068-198-0x0000000001E20000-0x0000000001E46000-memory.dmp

Filesize
152KB

Download
memory/2068-234-0x0000000006350000-0x0000000006390000-memory.dmp

Filesize
256KB

Download
memory/2068-177-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/2068-294-0x0000000001ED0000-0x0000000001FD0000-memory.dmp

Filesize
1024KB

Download
memory/2068-206-0x00000000024E0000-0x0000000002504000-memory.dmp

Filesize
144KB

Download
memory/2068-190-0x0000000000400000-0x0000000001D9A000-memory.dmp

Filesize
25.6MB

Download
memory/2068-189-0x0000000001ED0000-0x0000000001FD0000-memory.dmp

Filesize
1024KB

Download
memory/2316-297-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/2316-281-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-155-0x0000000000EA0000-0x0000000000ECC000-memory.dmp

Filesize
176KB

Download
memory/2316-299-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-195-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/2316-170-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-169-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2368-282-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-194-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/2368-156-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/2368-296-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/2368-175-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-279-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2376-275-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2444-188-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2444-285-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2444-307-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2444-158-0x00000000009F0000-0x0000000000B78000-memory.dmp

Filesize
1.5MB

Download
memory/2444-166-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-192-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2444-235-0x000000001A950000-0x000000001A9D4000-memory.dmp

Filesize
528KB

Download
memory/2444-261-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2444-283-0x000007FEF4970000-0x000007FEF535C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-45-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/2840-37-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/2840-47-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2840-46-0x0000000061B80000-0x0000000061B98000-memory.dmp

Filesize
96KB

Download
memory/2840-38-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2840-44-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2840-43-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2840-36-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/2840-28-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/3004-150-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3004-280-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3004-273-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads