redline | 1e942bf4ee3c98b45c4bb537d00fee0fa91188d1d13ed01dd88341682c398bec

General

Target

9b4e79ce1583fee33c9ded57bfde8ea7.exe
Size

549KB
MD5

9b4e79ce1583fee33c9ded57bfde8ea7
SHA1

f76d584e345165283ca912f1761a941d23a4674c
SHA256

1e942bf4ee3c98b45c4bb537d00fee0fa91188d1d13ed01dd88341682c398bec
SHA512

e95ebb2371085b9681dde3b97e70f69cf7f75529e318960c28e75912b64044b08ad0ef8419ef08cc10fc4f6bb7667ecbe84daeb07dc004582742532ef1037265
SSDEEP

12288:HfOu7Om77kvTqSk4GROrjN5zxSYl0iSoR0nBs5qAPj:GuSi7kkRORSY8oSnixP

Score

10^/10

redline sectoprat @bbakoch evasion infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@bbakoch

C2

37.1.213.214:63028

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2096-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2096-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	9b4e79ce1583fee33c9ded57bfde8ea7.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	9b4e79ce1583fee33c9ded57bfde8ea7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9b4e79ce1583fee33c9ded57bfde8ea7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9b4e79ce1583fee33c9ded57bfde8ea7.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	9b4e79ce1583fee33c9ded57bfde8ea7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	9b4e79ce1583fee33c9ded57bfde8ea7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe
3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe
3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe
Token: SeDebugPrivilege	2096	9b4e79ce1583fee33c9ded57bfde8ea7.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3340	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	92
PID 3408 wrote to memory of 3340	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	92
PID 3408 wrote to memory of 3340	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	92
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93
PID 3408 wrote to memory of 2096	3408	9b4e79ce1583fee33c9ded57bfde8ea7.exe	93

C:\Users\Admin\AppData\Local\Temp\9b4e79ce1583fee33c9ded57bfde8ea7.exe
"C:\Users\Admin\AppData\Local\Temp\9b4e79ce1583fee33c9ded57bfde8ea7.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\9b4e79ce1583fee33c9ded57bfde8ea7.exe
  "{path}"
  2⤵
  PID:3340
- C:\Users\Admin\AppData\Local\Temp\9b4e79ce1583fee33c9ded57bfde8ea7.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9b4e79ce1583fee33c9ded57bfde8ea7.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
memory/2096-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2096-25-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/2096-24-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2096-23-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/2096-22-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download
memory/2096-21-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/2096-20-0x0000000005360000-0x000000000539C000-memory.dmp

Filesize
240KB

Download
memory/2096-19-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/2096-18-0x0000000005920000-0x0000000005F38000-memory.dmp

Filesize
6.1MB

Download
memory/2096-17-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-6-0x0000000005D40000-0x0000000005D48000-memory.dmp

Filesize
32KB

Download
memory/3408-7-0x0000000008290000-0x000000000832C000-memory.dmp

Filesize
624KB

Download
memory/3408-11-0x000000000AF60000-0x000000000AF98000-memory.dmp

Filesize
224KB

Download
memory/3408-15-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-10-0x0000000008980000-0x0000000008A04000-memory.dmp

Filesize
528KB

Download
memory/3408-9-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3408-8-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-12-0x000000000DFA0000-0x000000000E006000-memory.dmp

Filesize
408KB

Download
memory/3408-0-0x0000000000F40000-0x0000000000FD0000-memory.dmp

Filesize
576KB

Download
memory/3408-5-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/3408-4-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3408-3-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/3408-2-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/3408-1-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads