redline | 9697f2beb7e3fcae40a7ae2cea7111087c2e57c3407c135b281fefd9e13ae5b5

General

Target

98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe
Size

193KB
MD5

98b7e1cd5ac9c7c6ea2362d8b13d53e5
SHA1

368c18b73587cac5615ed148715063500a115a08
SHA256

9697f2beb7e3fcae40a7ae2cea7111087c2e57c3407c135b281fefd9e13ae5b5
SHA512

2a625246f85307fb6112bb9ef3871aa8b14aa63a4088eaeae0f0af0ac112a5b3d4898324e0201a9918e1443e5e2ca496bce616700565ade549141fc8d4a42fe7
SSDEEP

6144:p4UdizUJiprVVeJewv3S+ZYkM5W8w2eJCh:di42xVe4w5ZlM5Rw2

Score

10^/10

redline sectoprat @first_namer infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@first_namer

C2

45.67.231.221:52112

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2884-4-0x00000000020B0000-0x00000000020D6000-memory.dmp	family_redline
behavioral1/memory/2780-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2780-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2780-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2780-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2780-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2884-4-0x00000000020B0000-0x00000000020D6000-memory.dmp	family_sectoprat
behavioral1/memory/2780-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2780-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2780-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2780-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2780-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\test.txt	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe
2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe
Token: SeDebugPrivilege	2780	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28
PID 2884 wrote to memory of 2780	2884	98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe	28

C:\Users\Admin\AppData\Local\Temp\98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe
"C:\Users\Admin\AppData\Local\Temp\98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe
  "C:\Users\Admin\AppData\Local\Temp\98b7e1cd5ac9c7c6ea2362d8b13d53e5.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-28-0x0000000004600000-0x0000000004640000-memory.dmp

Filesize
256KB

Download
memory/2780-27-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-26-0x0000000004600000-0x0000000004640000-memory.dmp

Filesize
256KB

Download
memory/2780-25-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2884-4-0x00000000020B0000-0x00000000020D6000-memory.dmp

Filesize
152KB

Download
memory/2884-21-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-0-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download
memory/2884-3-0x0000000002070000-0x00000000020B0000-memory.dmp

Filesize
256KB

Download
memory/2884-2-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/2884-1-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing