redline | 935a82b438893da3447df6631f85b494e48c474b410d09199b9a80359506232c

General

Target

8f971c054cd506d521cd458102d4025f.exe
Size

199KB
MD5

8f971c054cd506d521cd458102d4025f
SHA1

5c938e37701bc4a287343b283938bdcb1c0f27b0
SHA256

935a82b438893da3447df6631f85b494e48c474b410d09199b9a80359506232c
SHA512

50733b0fa5748bc6b0145b1139d56a3af96f5c9aa9b337063f3484ad5e4bb012db1615675ad8c78842eb49ccca475493de90a7a733fe01fe341bd5f818e856d3
SSDEEP

3072:b2HR1GaR3X65QahMBrvvbbk9alOx9IqjSLseQOOtpQWtgX/:b2h65QahMBzvbbtOT9jSLseQNPQWtg

Score

10^/10

redline sectoprat @kexit99 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@kexit99

C2

45.81.227.32:22625

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral1/memory/2852-10-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/2852-14-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/2852-15-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/2852-23-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/2852-20-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/2852-9-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/2852-25-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_redline
behavioral1/memory/2852-27-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/2852-10-0x0000000000080000-0x000000000009E000-memory.dmp	family_sectoprat
behavioral1/memory/2852-14-0x0000000000080000-0x000000000009E000-memory.dmp	family_sectoprat
behavioral1/memory/2852-15-0x0000000000080000-0x000000000009E000-memory.dmp	family_sectoprat
behavioral1/memory/2852-23-0x0000000000080000-0x000000000009E000-memory.dmp	family_sectoprat
behavioral1/memory/2852-20-0x0000000000080000-0x000000000009E000-memory.dmp	family_sectoprat
behavioral1/memory/2852-9-0x0000000000080000-0x000000000009E000-memory.dmp	family_sectoprat
behavioral1/memory/2852-25-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_sectoprat
behavioral1/memory/2852-27-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	8f971c054cd506d521cd458102d4025f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27
PID 2740 wrote to memory of 2852	2740	8f971c054cd506d521cd458102d4025f.exe	27

C:\Users\Admin\AppData\Local\Temp\8f971c054cd506d521cd458102d4025f.exe
"C:\Users\Admin\AppData\Local\Temp\8f971c054cd506d521cd458102d4025f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\8f971c054cd506d521cd458102d4025f.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2740-17-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-4-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download
memory/2740-0-0x0000000000200000-0x000000000023C000-memory.dmp

Filesize
240KB

Download
memory/2740-3-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2740-1-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-5-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2740-6-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2740-2-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2852-24-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-15-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-10-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-23-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-20-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-14-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-7-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-8-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-9-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2852-25-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2852-26-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-27-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing