redline | 1c8ba0ea86801366c0e20104ab91dee4693847b2a30c7fe6a65c91ee5e449c09

General

Target

MSBuild.exe
Size

180KB
MD5

7bb3d913742d3d4ab1e2236bfde7e4a6
SHA1

abff865c52824231776460bd7b1d068b121d3986
SHA256

1c8ba0ea86801366c0e20104ab91dee4693847b2a30c7fe6a65c91ee5e449c09
SHA512

3c197af92e31ea114494c3843f1c1dedb869828db9130435478ebd792cfb09a5101832447be85aa18a8c86b9051dfb23108f5a23841553d4c5cd1951c2a6ed65
SSDEEP

3072:q6AzkocoBLU5/ZApNhZ1FIoKuLrCfutILmfLulmScfrHrqPhhNsf9Y9oG:LAzkigdZApNH1FIoKdfuGL0S8jGhN0KR

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

TKANDERS.theworkpc.com:49182

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 2836 set thread context of 1524 2836 MSBuild.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

MSBuild.exeMSBuild.exe

pid process

2836 MSBuild.exe
2836 MSBuild.exe
2836 MSBuild.exe
2836 MSBuild.exe
2836 MSBuild.exe
1524 MSBuild.exe
1524 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSBuild.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 2836 MSBuild.exe
Token: SeDebugPrivilege 1524 MSBuild.exe

description	pid	process	target process
PID 2836 set thread context of 1524	2836	MSBuild.exe	MSBuild.exe

pid	process
2836	MSBuild.exe
2836	MSBuild.exe
2836	MSBuild.exe
2836	MSBuild.exe
2836	MSBuild.exe
1524	MSBuild.exe
1524	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2836	MSBuild.exe
Token: SeDebugPrivilege	1524	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

MSBuild.exe

description	pid	process	target process
PID 2836 wrote to memory of 1444	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1444	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1444	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe
PID 2836 wrote to memory of 1524	2836	MSBuild.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"
2⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Filesize
847B

MD5
ef375f28c91db0202bf7db29c0cbc2ce

SHA1
5a3f5d4ec75a468b908c2eb2b9e6f4b1e76c1017

SHA256
f4d1c038db378dec10e7e2fc81ccc2e2d4b8132ef0d66905e3625a0b0cbbde5f

SHA512
f18141e352fcd253e02cb25fa0cff29ab06dec62bafd5aa80ca48c959d1dba97deae830d01bf521f851a8143b9416747eb170d0cedafa32b59155027c02f244d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE86D.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8A2.tmp
Filesize
100KB

MD5
381b3586815e6993a58a56774117e22c

SHA1
8d0dd1b77522c8c3498665a5ef20b350a93d91c1

SHA256
5b56e288e2e08a26cdbe0af5f88e9225dc1fd74ee9e3e72d68917f1befe48896

SHA512
b158a089174e62ae187e8ed07b9d9c89ba20cc0b32f6a704a4fd099907b3b56be5ade05bea786664c6fc5df9d15223895d679367628c9e51095381d3b946345a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE91B.tmp
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE931.tmp
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE946.tmp
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE971.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/1524-22-0x0000000007690000-0x00000000076F6000-memory.dmp

Filesize
408KB

Download
memory/1524-19-0x0000000006CE0000-0x0000000006D72000-memory.dmp

Filesize
584KB

Download
memory/1524-10-0x0000000005A10000-0x0000000006028000-memory.dmp

Filesize
6.1MB

Download
memory/1524-11-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/1524-12-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/1524-13-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1524-14-0x0000000005490000-0x00000000054DC000-memory.dmp

Filesize
304KB

Download
memory/1524-15-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/1524-16-0x00000000069F0000-0x0000000006BB2000-memory.dmp

Filesize
1.8MB

Download
memory/1524-17-0x00000000070F0000-0x000000000761C000-memory.dmp

Filesize
5.2MB

Download
memory/1524-18-0x0000000006BC0000-0x0000000006C36000-memory.dmp

Filesize
472KB

Download
memory/1524-9-0x0000000074BC0000-0x0000000075371000-memory.dmp

Filesize
7.7MB

Download
memory/1524-20-0x0000000007BD0000-0x0000000008176000-memory.dmp

Filesize
5.6MB

Download
memory/1524-21-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

Filesize
120KB

Download
memory/1524-204-0x0000000074BC0000-0x0000000075371000-memory.dmp

Filesize
7.7MB

Download
memory/1524-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2836-8-0x0000000074BC0000-0x0000000075371000-memory.dmp

Filesize
7.7MB

Download
memory/2836-4-0x0000000002EE0000-0x0000000002EE6000-memory.dmp

Filesize
24KB

Download
memory/2836-3-0x0000000002E50000-0x0000000002E6A000-memory.dmp

Filesize
104KB

Download
memory/2836-2-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/2836-1-0x0000000074BC0000-0x0000000075371000-memory.dmp

Filesize
7.7MB

Download
memory/2836-0-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads