redline | ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5

General

Target

ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe
Size

976KB
MD5

8a1d971b45cc4b91fbe2a98a14f1f7e9
SHA1

331b950e0d0ae79c362ae3fdac6ff5e8f02db280
SHA256

ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5
SHA512

2c8913b0680eeeb505b9aabd9f5a7c060f92be1279b6585d820141ac2f41e26778fb83486ed9e3380de0e5f914f3f063fff60e0fcf017e59e4d451154daa0552
SSDEEP

24576:TxLsMs8WdXk89WycIljgE94nI0DkKesxgaai+pBkTx8:Bsld/9WyxlpYI0DkCvepBka

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.99:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2492-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-39-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-42-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2492-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-39-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-42-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2440-49-0x0000000002870000-0x00000000028B0000-memory.dmp	family_sectoprat
behavioral1/memory/2492-52-0x0000000000CF0000-0x0000000000D30000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

pid	Process
2956	PO.exe
2492	PO.exe

Loads dropped DLL 5 IoCs

pid	Process
1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe
1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe
1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe
1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe
2956	PO.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 2492	2956	PO.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2956	PO.exe
2956	PO.exe
2956	PO.exe
2956	PO.exe
2440	powershell.exe
2492	PO.exe
2492	PO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	PO.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2492	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	DllHost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2956	1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe	29
PID 1740 wrote to memory of 2956	1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe	29
PID 1740 wrote to memory of 2956	1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe	29
PID 1740 wrote to memory of 2956	1740	ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe	29
PID 2956 wrote to memory of 2440	2956	PO.exe	30
PID 2956 wrote to memory of 2440	2956	PO.exe	30
PID 2956 wrote to memory of 2440	2956	PO.exe	30
PID 2956 wrote to memory of 2440	2956	PO.exe	30
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32
PID 2956 wrote to memory of 2492	2956	PO.exe	32

C:\Users\Admin\AppData\Local\Temp\ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe
"C:\Users\Admin\AppData\Local\Temp\ec0453e0735261daf96af26ddebba797b1394056812d40d9fbbc063f73513aa5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
868KB

MD5
05688bf5edaa27b50cdf1bc3a4de8c63

SHA1
48c7640543918824efebb21b073330aaa0dced50

SHA256
3528b922058c0904e97f80d335cef3873f3f0551fef3fd7b8a614bd7a8188239

SHA512
19e2dc1424b85ea58f7d3445c5c3ede97d9d6c911692d6fc18c1f2d85bebc46064e7ceb5ed918e33884d103c55719284c2646426bec38855cc9545ed29a3385b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8859.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DDE.tmp

Filesize
92KB

MD5
18e04095708297d6889a6962f81e8d8f

SHA1
9a25645db1da0217092c06579599b04982192124

SHA256
4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7

SHA512
45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf

Download Submit
memory/1740-4-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/2200-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-5-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2200-46-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2440-53-0x000000006EC20000-0x000000006F1CB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-51-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/2440-50-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/2440-49-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/2440-48-0x000000006EC20000-0x000000006F1CB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-47-0x000000006EC20000-0x000000006F1CB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-172-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-39-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-45-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-52-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2956-27-0x0000000000A00000-0x0000000000A14000-memory.dmp

Filesize
80KB

Download
memory/2956-28-0x00000000002C0000-0x0000000000344000-memory.dmp

Filesize
528KB

Download
memory/2956-26-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/2956-25-0x0000000000940000-0x0000000000958000-memory.dmp

Filesize
96KB

Download
memory/2956-24-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download
memory/2956-22-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-21-0x0000000000D30000-0x0000000000E0A000-memory.dmp

Filesize
872KB

Download
memory/2956-41-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing