redline

Sharing

Copy URL

Twitter E-mail

General

Target

UHQ Combo Tool.rar
Size

9.2MB
Sample

240427-pjqqysba4w
MD5

d9e364a25bd9677b6963322d5207f43d
SHA1

6cc18ef4982988b94925d5774a97b3034ce31d07
SHA256

ec0ee9965906048d6e0688a2ab57040378262966f2235798bb6d3ff8914fcbf5
SHA512

7b82d69869e2cd6aae3357bb5d5a9080de7dbbef9bc077feb53d6dc0999c11498f85d8937d05bfe8a06cb7ea940c34854d0612991051106fad93bdad1b2b877a
SSDEEP

196608:Oo0h8nGMJl8J4BzaOgAhxYKP/OZevpoE9woAJ12AsZJiuAbftr47Oc:4+GMJphaliJC8p9eP/sKf9W/

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

telegramone

163.5.160.27:51523

Targets

- Target
  
  Cracking Tool/ConsoleApp1.dll
- Size
  
  6KB
- MD5
  
  65b7dd9376f29f87d752de844959a3b3
- SHA1
  
  9f7dd0a81bdb61c6e7b52aa4656b63cae27fc7b0
- SHA256
  
  bda7b191c57f03dac42b18bcca21edb0627854d3a81386a174d72737aa7186e8
- SHA512
  
  a5780071dcdbb4bb65a5609a6311e7cff6fc29709458cf11abec210b568dee8b8e9460065f7109713d4bece434443e4757ecb15b86e6b507886573d794c01986
- SSDEEP
  
  48:6lQFWe88sFwau1S95ChVh909zL6+ifOVvTBOzuQMrsKXj1Uv7a/tdlr59aU6yLKY:N8sgqEVLM+To5op7P9ezNt
Score

1^/10
behavioral1 behavioral2
- Target
  
  Cracking Tool/Mono.Cecil.Pdb.dll
- Size
  
  87KB
- MD5
  
  6d5eb860c2be5dbeb470e7d3f3e7dda4
- SHA1
  
  80c76660b87c52127b1a7da48e27700f75362041
- SHA256
  
  447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4
- SHA512
  
  64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5
- SSDEEP
  
  1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO
Score

1^/10
behavioral3 behavioral4
- Target
  
  Cracking Tool/Mono.Cecil.Rocks.dll
- Size
  
  27KB
- MD5
  
  6e7f0f4fff6c49e3f66127c23b7f1a53
- SHA1
  
  14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a
- SHA256
  
  2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e
- SHA512
  
  0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e
- SSDEEP
  
  384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd
Score

1^/10
behavioral5 behavioral6
- Target
  
  Cracking Tool/stub.dll
- Size
  
  96KB
- MD5
  
  625ed01fd1f2dc43b3c2492956fddc68
- SHA1
  
  48461ef33711d0080d7c520f79a0ec540bda6254
- SHA256
  
  6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b
- SHA512
  
  1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665
- SSDEEP
  
  1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl
Score

10^/10

redline sectoprat infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
behavioral7 behavioral8
- Target
  
  Cracking Tool/tool.exe
- Size
  
  2.5MB
- MD5
  
  5eb488fde8ae946dbe2ee631a44e2264
- SHA1
  
  7a7c0b9d4dfb605bed6d6f1fe256cb2b9e8799db
- SHA256
  
  f4894d1b685f8b6a53bfcbc23869c806258c0b7e7def3f4f946c2d6a7019dfad
- SHA512
  
  29fe591da31225aeb09490ddfed86e3a48c47bc17d2110ca63a7a1b243516cc8fc7f5c3a33e364c718183a4872d145b7ab8d80a5c8b932d69229cae065318c06
- SSDEEP
  
  49152:QS5WRuchCqDjoexP05/h+kaFCxLli+brfU5c47RiPcCfwiUZW8XQJKDRgR:Q6Kuch/DZW5AkaY7iurM247M743M8AYm
Score

10^/10

xmrig evasion miner persistence upx
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  Cracking Tool/x64/Mono.Cecil.Pdb.dll
- Size
  
  87KB
- MD5
  
  6d5eb860c2be5dbeb470e7d3f3e7dda4
- SHA1
  
  80c76660b87c52127b1a7da48e27700f75362041
- SHA256
  
  447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4
- SHA512
  
  64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5
- SSDEEP
  
  1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO
Score

1^/10
behavioral11 behavioral12
- Target
  
  Cracking Tool/x64/Mono.Cecil.Rocks.dll
- Size
  
  27KB
- MD5
  
  6e7f0f4fff6c49e3f66127c23b7f1a53
- SHA1
  
  14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a
- SHA256
  
  2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e
- SHA512
  
  0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e
- SSDEEP
  
  384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd
Score

1^/10
behavioral13 behavioral14
- Target
  
  Cracking Tool/x64/fix.exe
- Size
  
  95KB
- MD5
  
  1f327a277466f1bb04aa5cfcd279c0f7
- SHA1
  
  9bcb7bbac28992b9c7c35ba0573dce7db32ca18f
- SHA256
  
  e8432406bc918c6ce0d245a3bc5bb8c021b218593f94b5d09ebcda7e549f1fc0
- SHA512
  
  82c750475dc42d974c3fd33a4329bce7e99a5c15bf88fe4e802627b321b6c91f78e8be4b82e72380ee34c4de407878d17b18af26d7f5667104fdc55020f68a9d
- SSDEEP
  
  1536:Bqs+FRcqWClbG6jejoigI743Ywzi0Zb78ivombfexv0ujXyyed2ZtmulgS6pUl:veRclyY7+zi0ZbYe1g0ujyzdJU
Score

10^/10

redline sectoprat telegramone infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
behavioral15 behavioral16
- Target
  
  Cracking Tool/x64/fix1.exe
- Size
  
  7.0MB
- MD5
  
  150f7378fd18d19ecc002761fa112de5
- SHA1
  
  a5ef247183d14dcd0d9b112306c1965c38720a1e
- SHA256
  
  b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c
- SHA512
  
  dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d
- SSDEEP
  
  196608:YrUXA1HeT39IigDvKub75bcjWgbkzf7AkjdW86:k1+TtIisvB5IjWqkzZ
Score

7^/10

persistence pyinstaller
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  Cracking Tool/x64/stub.dll
- Size
  
  96KB
- MD5
  
  625ed01fd1f2dc43b3c2492956fddc68
- SHA1
  
  48461ef33711d0080d7c520f79a0ec540bda6254
- SHA256
  
  6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b
- SHA512
  
  1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665
- SSDEEP
  
  1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl
Score

10^/10

redline sectoprat infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

SectopRAT

SectopRAT payload

xmrig

XMRig Miner payload

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

RedLine

RedLine payload

SectopRAT

SectopRAT payload

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20