redline | c189ccfd8d06b7bf459bba39fb8fdbc82fbff4f6f9f4d6f7fb0d13e3a062d55d

Analysis

max time kernel
138s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 05:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e593c0316afe7dbf9fc0771d3f6618c.exe
Size

2.3MB
MD5

8e593c0316afe7dbf9fc0771d3f6618c
SHA1

a678a6c3bf1a9f92681c2bd112f82e87935d4ed9
SHA256

c189ccfd8d06b7bf459bba39fb8fdbc82fbff4f6f9f4d6f7fb0d13e3a062d55d
SHA512

5819d3aa15ba9553c94c39fbecdd13533173e2768cf161f570aa979a6c4011f9c22e4fce921811961ec071c1a7da2c009646f519b75c82da82d811c3a1d9300e
SSDEEP

49152:n5+hFSObPn6gOcnRdgUpbJ23hyhiSFLExRH4NwVlxiz8lVHTIioOFZQ+A:n5aFhjUEvZsohi6L/wVlxiqZ7A

Score

10^/10

redline sectoprat @devil11fd infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@Devil11fd

77.220.214.232:13459

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019429-96.dat	family_redline
behavioral1/memory/1108-99-0x0000000000BB0000-0x0000000000BCE000-memory.dmp	family_redline
behavioral1/memory/1108-101-0x00000000042F0000-0x0000000004330000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019429-96.dat	family_sectoprat
behavioral1/memory/1108-99-0x0000000000BB0000-0x0000000000BCE000-memory.dmp	family_sectoprat
behavioral1/memory/1108-101-0x00000000042F0000-0x0000000004330000-memory.dmp	family_sectoprat

Executes dropped EXE 12 IoCs

pid	Process
2860	7z.exe
3064	7z.exe
2832	7z.exe
2632	7z.exe
2640	7z.exe
580	7z.exe
1896	7z.exe
1164	7z.exe
1356	7z.exe
3052	7z.exe
1088	7z.exe
1108	@Devil11fd.exe

Loads dropped DLL 22 IoCs

pid	Process
2740	cmd.exe
2860	7z.exe
2740	cmd.exe
3064	7z.exe
2740	cmd.exe
2832	7z.exe
2740	cmd.exe
2632	7z.exe
2740	cmd.exe
2640	7z.exe
2740	cmd.exe
580	7z.exe
2740	cmd.exe
1896	7z.exe
2740	cmd.exe
1164	7z.exe
2740	cmd.exe
1356	7z.exe
2740	cmd.exe
3052	7z.exe
2740	cmd.exe
1088	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1108	@Devil11fd.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeRestorePrivilege	2860	7z.exe
Token: 35	2860	7z.exe
Token: SeSecurityPrivilege	2860	7z.exe
Token: SeSecurityPrivilege	2860	7z.exe
Token: SeRestorePrivilege	3064	7z.exe
Token: 35	3064	7z.exe
Token: SeSecurityPrivilege	3064	7z.exe
Token: SeSecurityPrivilege	3064	7z.exe
Token: SeRestorePrivilege	2832	7z.exe
Token: 35	2832	7z.exe
Token: SeSecurityPrivilege	2832	7z.exe
Token: SeSecurityPrivilege	2832	7z.exe
Token: SeRestorePrivilege	2632	7z.exe
Token: 35	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeRestorePrivilege	2640	7z.exe
Token: 35	2640	7z.exe
Token: SeSecurityPrivilege	2640	7z.exe
Token: SeSecurityPrivilege	2640	7z.exe
Token: SeRestorePrivilege	580	7z.exe
Token: 35	580	7z.exe
Token: SeSecurityPrivilege	580	7z.exe
Token: SeSecurityPrivilege	580	7z.exe
Token: SeRestorePrivilege	1896	7z.exe
Token: 35	1896	7z.exe
Token: SeSecurityPrivilege	1896	7z.exe
Token: SeSecurityPrivilege	1896	7z.exe
Token: SeRestorePrivilege	1164	7z.exe
Token: 35	1164	7z.exe
Token: SeSecurityPrivilege	1164	7z.exe
Token: SeSecurityPrivilege	1164	7z.exe
Token: SeRestorePrivilege	1356	7z.exe
Token: 35	1356	7z.exe
Token: SeSecurityPrivilege	1356	7z.exe
Token: SeSecurityPrivilege	1356	7z.exe
Token: SeRestorePrivilege	3052	7z.exe
Token: 35	3052	7z.exe
Token: SeSecurityPrivilege	3052	7z.exe
Token: SeSecurityPrivilege	3052	7z.exe
Token: SeRestorePrivilege	1088	7z.exe
Token: 35	1088	7z.exe
Token: SeSecurityPrivilege	1088	7z.exe
Token: SeSecurityPrivilege	1088	7z.exe
Token: SeDebugPrivilege	1108	@Devil11fd.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2740	2780	8e593c0316afe7dbf9fc0771d3f6618c.exe	11
PID 2780 wrote to memory of 2740	2780	8e593c0316afe7dbf9fc0771d3f6618c.exe	11
PID 2780 wrote to memory of 2740	2780	8e593c0316afe7dbf9fc0771d3f6618c.exe	11
PID 2780 wrote to memory of 2740	2780	8e593c0316afe7dbf9fc0771d3f6618c.exe	11
PID 2740 wrote to memory of 2180	2740	cmd.exe	9
PID 2740 wrote to memory of 2180	2740	cmd.exe	9
PID 2740 wrote to memory of 2180	2740	cmd.exe	9
PID 2740 wrote to memory of 2860	2740	cmd.exe	8
PID 2740 wrote to memory of 2860	2740	cmd.exe	8
PID 2740 wrote to memory of 2860	2740	cmd.exe	8
PID 2740 wrote to memory of 3064	2740	cmd.exe	7
PID 2740 wrote to memory of 3064	2740	cmd.exe	7
PID 2740 wrote to memory of 3064	2740	cmd.exe	7
PID 2740 wrote to memory of 2832	2740	cmd.exe	6
PID 2740 wrote to memory of 2832	2740	cmd.exe	6
PID 2740 wrote to memory of 2832	2740	cmd.exe	6
PID 2740 wrote to memory of 2632	2740	cmd.exe	5
PID 2740 wrote to memory of 2632	2740	cmd.exe	5
PID 2740 wrote to memory of 2632	2740	cmd.exe	5
PID 2740 wrote to memory of 2640	2740	cmd.exe	4
PID 2740 wrote to memory of 2640	2740	cmd.exe	4
PID 2740 wrote to memory of 2640	2740	cmd.exe	4
PID 2740 wrote to memory of 580	2740	cmd.exe	3
PID 2740 wrote to memory of 580	2740	cmd.exe	3
PID 2740 wrote to memory of 580	2740	cmd.exe	3
PID 2740 wrote to memory of 1896	2740	cmd.exe	2
PID 2740 wrote to memory of 1896	2740	cmd.exe	2
PID 2740 wrote to memory of 1896	2740	cmd.exe	2
PID 2740 wrote to memory of 1164	2740	cmd.exe	1
PID 2740 wrote to memory of 1164	2740	cmd.exe	1
PID 2740 wrote to memory of 1164	2740	cmd.exe	1
PID 2740 wrote to memory of 1356	2740	cmd.exe	39
PID 2740 wrote to memory of 1356	2740	cmd.exe	39
PID 2740 wrote to memory of 1356	2740	cmd.exe	39
PID 2740 wrote to memory of 3052	2740	cmd.exe	40
PID 2740 wrote to memory of 3052	2740	cmd.exe	40
PID 2740 wrote to memory of 3052	2740	cmd.exe	40
PID 2740 wrote to memory of 1088	2740	cmd.exe	41
PID 2740 wrote to memory of 1088	2740	cmd.exe	41
PID 2740 wrote to memory of 1088	2740	cmd.exe	41
PID 2740 wrote to memory of 2268	2740	cmd.exe	42
PID 2740 wrote to memory of 2268	2740	cmd.exe	42
PID 2740 wrote to memory of 2268	2740	cmd.exe	42
PID 2740 wrote to memory of 1108	2740	cmd.exe	43
PID 2740 wrote to memory of 1108	2740	cmd.exe	43
PID 2740 wrote to memory of 1108	2740	cmd.exe	43
PID 2740 wrote to memory of 1108	2740	cmd.exe	43

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_5.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_6.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_7.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_8.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_9.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_10.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p___________5764pwd21315pwd15660___________ -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\mode.com
mode 65,10
1⤵
PID:2180

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
  7z.exe e extracted/file_3.zip -oextracted
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
  7z.exe e extracted/file_2.zip -oextracted
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
  7z.exe e extracted/file_1.zip -oextracted
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\system32\attrib.exe
  attrib +H "@Devil11fd.exe"
  2⤵
  - Views/modifies file attributes
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\svchost\@Devil11fd.exe
  "@Devil11fd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1108

C:\Users\Admin\AppData\Local\Temp\8e593c0316afe7dbf9fc0771d3f6618c.exe
"C:\Users\Admin\AppData\Local\Temp\8e593c0316afe7dbf9fc0771d3f6618c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@Devil11fd.exe

Filesize
100KB

MD5
bc136070376f98de7fb8bcf3fdfd12ff

SHA1
59bdc4bbcc240833af0586bc1f68762cafa9206d

SHA256
e073288d8b463699ba8c9122833a39ca0a09edb13fb16ad0ed41db72d6185168

SHA512
c84bb8157e484d568f47a1f3a73cdb877c3fc41c26d510cb1bc9ec8b181f694cc07b8e9ca7df93f3a256e06efa57569f3922aac28b6619a6af1a6df0dc8fd050

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

Filesize
2.0MB

MD5
01317a4826e631bbfee8a800e670bca1

SHA1
ee86498a1c55e8ae9a7eef3cd9e6426bbb36d50a

SHA256
e201ab2ca1f8e22201a5fce619d029cf295ece2877a52791e72072032f3d1e99

SHA512
74d9fcc9f89c390858de4da52ea43753ea719f309af954b577a59b83e7c3b804ca3d7ec312e38bd80532f832b034b8b45bef75159bd3f4f6a865aea841420469

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

Filesize
40KB

MD5
ebae0456aa6e13fad84c458f3092e8a9

SHA1
4c047c8ec5e66e42c2bdd1ead9b4a006822bc07f

SHA256
9f7e8f22ae938288e24b1977d701630d11bff382e3f4112032988666522208c7

SHA512
7695ef851d4c6b925173ca13c13598aabb74958b42f31d8c8bfbb7d6909375f9a78ba35a1aa6f2ff0f69a486a9126263b0f76bdbda9532f7bea81ff80799fc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_10.zip

Filesize
1.5MB

MD5
bf236fbf077dcc352dddcf5d74847a89

SHA1
7134423cb76ae76c1c370c5f9551a5f6ec217e06

SHA256
4068b08987da67776af613f36f99b3fd6aedc7423f8273a47175172b219f80ac

SHA512
4d790f5fdb7cb6229439530085dba5131985002747c190b00443402cbb4eac46683cf7aeaf499c824440c8f18a29e136e25a47431eb54118945ac914d862e976

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

Filesize
40KB

MD5
2f55272662d808cca3d25f44d790c1ea

SHA1
c962ae94ce660390ffb9d2ed09683da094baf1de

SHA256
9c6ffcbace2c2fe11775e2fde2116c1cf8226221386e5e401564c44881ab7217

SHA512
b1a585c56d5e55d603925d86451b20457b1a6d189714b824cb10ca784c400565fa666aa9a098780abf45764ac4f5229f88bd4c9a45932706c40ffaac0875ad9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

Filesize
40KB

MD5
88cb316541ddd95504ccbb3dda438937

SHA1
57538d9df0e0ec4a2fffcee2dd9b66a3275c861e

SHA256
b188be05f48747689cb23b2e179cedf8ea4bf810c0636882f9bacceb51654242

SHA512
c82fbe77c6eb256d4919b96809921ae3d202f05ffd0b8323c3c4bac42c730ad3a5bf57fbba5c84fad7179b2f2770da768eda8cba21a4507e8debc6cf9cdf7fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

Filesize
41KB

MD5
9c74d689d448a002e6c9b8543cb7bbaf

SHA1
3ffa976f5d21f0058f3f8601e9e734b5bae7e89c

SHA256
6bde7a939380ac4ee81eb11559b007a230cd9e0f7fb90527b6648226fe8b53bd

SHA512
07b72527e62dd2e0114be0fc65afdd4987b687735ac0fff0dabd23cfa4419d0ecd9dd4be7e5e3346f92d70e7335fef409a33eefebf6cfb11a404582d99759bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

Filesize
41KB

MD5
25e7c679c17735e55a1fc5a10c2286cb

SHA1
dcfcca2463f5ef16a9ed7ddae4cd459af21054a2

SHA256
9f05c792f44dbd53dfe6d2697ee7803725524299bb7ff9749ce09d3d8924a74a

SHA512
742deebc020ddfbc30be810a11f9ba960b258d60c64b5a2c83e839fa420fc87d173bf3b9c056f8cf25f0cdde8de495aae7c89fc0f74202876a2f370d7db343a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip

Filesize
41KB

MD5
27a2d70b90bb71a321a8e2a7708c6d1a

SHA1
9642d315b59234ecc7df010673c78e69996dabbb

SHA256
dfc21bbf223d5606f65735933c05a01aae5015294b201d0bd707b9ef97e19400

SHA512
29bd1e38687bf76f63a74e1ec07c2cde353a2c9132b4462093ac997a15ecd9b90a206c3694f4716a421e93685a56a855041f3c6684d6541efa29e95c74b95368

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip

Filesize
41KB

MD5
677301d9c5aee4b96e6372a3f67f357c

SHA1
701087de40e105ed949e245bbbddae6e1f062abc

SHA256
125268bf4f2d81947204fd4dd80fdfb14e01043fdc2ae1bb3815d538a0712e32

SHA512
d6fca399f6170f9a486ef06b546a4dffac6983b27a6e7cc432b5d5d756cf06fd1d8405486b53ea2b87d5e2d13173e0110ebe2266ef49fd1c84087a63e2a648a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_8.zip

Filesize
41KB

MD5
f6627a655a2748e655ab1d1ebea98ac1

SHA1
01a5a9e7929c84f52f3f06398216ef3e64fb0548

SHA256
1be6d447da0156ae8c6fdf08f809838796eee21622eb79b594f038f5a7410a60

SHA512
9a8f8c632b1e4d40c12db7a24d25f4ec24b6e120a0213fae6f205a59699792b796765762d0837e96e6c431af341fd214ef8a0d25bf47678b7d3cba1fcef90df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_9.zip

Filesize
41KB

MD5
2c692ad313259b7ac034720a32198d63

SHA1
4990a193378f3f3287395cbaab1f65d2d339a462

SHA256
8ba5aae604a42a0226c81bda827b0bdee5708d1551415e7a5bd35f3f0170c78b

SHA512
ba0f8ff90560e6fcc7087dc7e15400b641162a57814cf5f9cf25f8faedb0289f231568a61d8324152996ae4887fa8bbc6082b6a79bce999d9827016842dc2fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

Filesize
1.5MB

MD5
5108a6321ead8fb10412ca55a8f41255

SHA1
c0a0f07093118aac8c4f06d5e3967448f207ddfa

SHA256
25def83bbbb69dbb993bac5f164de5792c1e79f3ff9e41f5b51d651a6e9d5547

SHA512
8b8102b64efce6cce0c1f6d35f7d3aabff5b69ec98748ce9e74e79e20911bdb923c67d30ed85463aae2aef4dcebbd205b43117ac90e38a5bf704e5e60e154206

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

Filesize
505B

MD5
c948a137169fc4d9057147aa497b1b3c

SHA1
4ba9c05e6dbf875c4084fe1a968c3218ec89a948

SHA256
db183f4ecc54d598a712ee1a30f4cf13e35efba456d4d5907bcb7264ea1ae7f6

SHA512
309b38b2369993edc3d699fa36cd0ea7ce22c0daa6945f671a6a34c0ec7fe6da824e362f62e11551bcfca876e1ed0d8df83b81fe5185854d2671fe27b4d460e1

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1108-99-0x0000000000BB0000-0x0000000000BCE000-memory.dmp

Filesize
120KB

Download
memory/1108-100-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/1108-101-0x00000000042F0000-0x0000000004330000-memory.dmp

Filesize
256KB

Download
memory/1108-102-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/1108-103-0x00000000042F0000-0x0000000004330000-memory.dmp

Filesize
256KB

Download