redline | d2f3c8745cdfdc4df1c8b1162dc3f310f358cfb8410eacb5f9b82d82140ace24

General

Target

87ca9079e307e48fa781b9c39f3e93fb.exe
Size

411KB
MD5

87ca9079e307e48fa781b9c39f3e93fb
SHA1

582c603d178aaa86caa4b6266d859c6e545a3f8f
SHA256

d2f3c8745cdfdc4df1c8b1162dc3f310f358cfb8410eacb5f9b82d82140ace24
SHA512

9cc6ef9b09ff8f9de513bad648c3cb79582f1a3df01d61275ceae5a7df1f4d7adbc475c06bde4e87fc6f046a122c530c5b2ac9c888d0e663b57a59950c8b27c1
SSDEEP

12288:CYVZ4rt++OjGlrN2Vis7mHxowcEKo1WdIcd:X4Zzj2Vz7x+Ko4dIcd

Score

10^/10

redline sectoprat 1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

1

C2

ynabrdosmc.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4160-15-0x0000000002D30000-0x0000000002D52000-memory.dmp	family_redline
behavioral2/memory/4160-21-0x0000000005200000-0x0000000005220000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4160-15-0x0000000002D30000-0x0000000002D52000-memory.dmp	family_sectoprat
behavioral2/memory/4160-21-0x0000000005200000-0x0000000005220000-memory.dmp	family_sectoprat
behavioral2/memory/4160-25-0x0000000005330000-0x0000000005340000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

87ca9079e307e48fa781b9c39f3e93fb.exe

description pid process target process

PID 392 set thread context of 4160 392 87ca9079e307e48fa781b9c39f3e93fb.exe 87ca9079e307e48fa781b9c39f3e93fb.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

87ca9079e307e48fa781b9c39f3e93fb.exe87ca9079e307e48fa781b9c39f3e93fb.exe

description pid process

Token: SeDebugPrivilege 392 87ca9079e307e48fa781b9c39f3e93fb.exe
Token: SeDebugPrivilege 4160 87ca9079e307e48fa781b9c39f3e93fb.exe

description	pid	process	target process
PID 392 set thread context of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe

description	pid	process
Token: SeDebugPrivilege	392	87ca9079e307e48fa781b9c39f3e93fb.exe
Token: SeDebugPrivilege	4160	87ca9079e307e48fa781b9c39f3e93fb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

87ca9079e307e48fa781b9c39f3e93fb.exe

description	pid	process	target process
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe
PID 392 wrote to memory of 4160	392	87ca9079e307e48fa781b9c39f3e93fb.exe	87ca9079e307e48fa781b9c39f3e93fb.exe

C:\Users\Admin\AppData\Local\Temp\87ca9079e307e48fa781b9c39f3e93fb.exe
"C:\Users\Admin\AppData\Local\Temp\87ca9079e307e48fa781b9c39f3e93fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\87ca9079e307e48fa781b9c39f3e93fb.exe
C:\Users\Admin\AppData\Local\Temp\87ca9079e307e48fa781b9c39f3e93fb.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\87ca9079e307e48fa781b9c39f3e93fb.exe.log
Filesize
605B

MD5
3654bd2c6957761095206ffdf92b0cb9

SHA1
6f10f7b5867877de7629afcff644c265e79b4ad3

SHA256
c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

SHA512
e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

Download Submit
memory/392-1-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/392-2-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/392-3-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/392-4-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/392-5-0x00000000049E0000-0x00000000049F4000-memory.dmp

Filesize
80KB

Download
memory/392-6-0x0000000004B30000-0x0000000004BA6000-memory.dmp

Filesize
472KB

Download
memory/392-7-0x0000000004A50000-0x0000000004A6E000-memory.dmp

Filesize
120KB

Download
memory/392-0-0x00000000000E0000-0x000000000014A000-memory.dmp

Filesize
424KB

Download
memory/392-11-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-16-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4160-23-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/4160-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4160-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4160-15-0x0000000002D30000-0x0000000002D52000-memory.dmp

Filesize
136KB

Download
memory/4160-17-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4160-18-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-20-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/4160-21-0x0000000005200000-0x0000000005220000-memory.dmp

Filesize
128KB

Download
memory/4160-19-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-12-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4160-22-0x00000000064C0000-0x0000000006AD8000-memory.dmp

Filesize
6.1MB

Download
memory/4160-24-0x0000000005380000-0x00000000053BC000-memory.dmp

Filesize
240KB

Download
memory/4160-25-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-26-0x00000000053C0000-0x000000000540C000-memory.dmp

Filesize
304KB

Download
memory/4160-27-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/4160-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4160-29-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4160-30-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-31-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-32-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4160-33-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads