redline | 235e6d8a984c6c293b737d5a59960cfb3a091945da8aade6e7dfa16a8209dd7f

General

Target

f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe
Size

876KB
MD5

f3e4e1a649176fa6496a36faea34cead
SHA1

3d31a5d9dda58e53119ca6b2a72b432fbf3e6479
SHA256

235e6d8a984c6c293b737d5a59960cfb3a091945da8aade6e7dfa16a8209dd7f
SHA512

3d9099e77200813aa1ee6997e8778863f434f91c4bfcb963dc985bbe251b457a770cd7ba9de1b651b71d9af83de761e6de283d594095635fc981d7331f1ff3e0
SSDEEP

24576:nyLHuEU/Ve5SXJe8qXHgaKpr6gLUIpnK2ljS27vs:yLOgR3fgLPpyU

Score

10^/10

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Build2_Mastif

C2

95.181.157.69:8552

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4760-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4760-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
2012	Install.exe
3280	RUNTIM~1.EXE
4760	RUNTIM~1.EXE

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0009000000023525-13.dat	agile_net
behavioral2/memory/3280-15-0x0000000000920000-0x0000000000A2A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
18	iplogger.org
19	iplogger.org
20	iplogger.org
22	iplogger.org
26	iplogger.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 4760	3280	RUNTIM~1.EXE	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	RUNTIM~1.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2012	4804	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe	89
PID 4804 wrote to memory of 2012	4804	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe	89
PID 4804 wrote to memory of 2012	4804	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe	89
PID 2012 wrote to memory of 3868	2012	Install.exe	94
PID 2012 wrote to memory of 3868	2012	Install.exe	94
PID 2012 wrote to memory of 3868	2012	Install.exe	94
PID 3868 wrote to memory of 4172	3868	cmd.exe	97
PID 3868 wrote to memory of 4172	3868	cmd.exe	97
PID 4804 wrote to memory of 3280	4804	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe	99
PID 4804 wrote to memory of 3280	4804	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe	99
PID 4804 wrote to memory of 3280	4804	f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe	99
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107
PID 3280 wrote to memory of 4760	3280	RUNTIM~1.EXE	107

C:\Users\Admin\AppData\Local\Temp\f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3e4e1a649176fa6496a36faea34cead_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS143F.tmp\Install.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1XQju7
      4⤵
      PID:4172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=4056,i,2857654520668216285,12206737327839963915,262144 --variations-seed-version --mojo-platform-channel-handle=760 /prefetch:1
1⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5392,i,2857654520668216285,12206737327839963915,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:8
1⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4620,i,2857654520668216285,12206737327839963915,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RUNTIM~1.EXE.log

Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS143F.tmp\Install.cmd

Filesize
51B

MD5
21661026606353f423078c883708787d

SHA1
338e288b851e0e5bee26f887e50bfcd8150e8257

SHA256
6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782

SHA512
61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
117KB

MD5
3973c47bf5f334ea720a9d603d2c6510

SHA1
bf2b72dc12d4d41e08b452e465c40d010b2aba4e

SHA256
4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea

SHA512
cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Filesize
1.0MB

MD5
0c6ef320b361f01d63147dec80c3f34c

SHA1
c04adc3da100118f72e41c1c4645cbf8fa813cee

SHA256
bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f

SHA512
f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

Download Submit
memory/3280-26-0x0000000008200000-0x000000000828A000-memory.dmp

Filesize
552KB

Download
memory/3280-27-0x000000000A940000-0x000000000A95E000-memory.dmp

Filesize
120KB

Download
memory/3280-18-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/3280-19-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/3280-20-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/3280-21-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/3280-22-0x00000000055D0000-0x0000000005626000-memory.dmp

Filesize
344KB

Download
memory/3280-23-0x00000000057A0000-0x00000000057B8000-memory.dmp

Filesize
96KB

Download
memory/3280-24-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-25-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/3280-16-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-17-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/3280-32-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-15-0x0000000000920000-0x0000000000A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4760-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4760-33-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-34-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/4760-35-0x0000000005270000-0x0000000005282000-memory.dmp

Filesize
72KB

Download
memory/4760-36-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/4760-37-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4760-38-0x0000000005310000-0x000000000535C000-memory.dmp

Filesize
304KB

Download
memory/4760-39-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/4760-40-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-41-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads