redline | e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5

General

Target

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe
Size

3.4MB
MD5

db427cc5464c265577871c31bc1065d0
SHA1

796cf29ee18ef8997b901295326f18dbe0d0a7dd
SHA256

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5
SHA512

5002167b41cd4460417d72a283aded7d0c7c9fc171cc6996abd5fbcd02f0fbb217164e189a042631d4abf5f76d84b7b24b94008d8027b5a86b2f19523c1bc993
SSDEEP

24576:TVsQ6BKfC+CWDU2fy6Uuri8MmOmbCYUz7PH8Zeaj0HM3ow5XtyB:TVeBB2kMOnYUvPb

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

91.92.249.99:13359

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_redline
behavioral2/memory/2308-32-0x0000000000060000-0x000000000007E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5052-1-0x0000000000AA0000-0x0000000000E12000-memory.dmp	family_sectoprat
C:\ProgramData\HMC.exe	family_sectoprat
C:\ProgramData\build.exe	family_sectoprat
behavioral2/memory/3340-27-0x0000000000AC0000-0x0000000000DCC000-memory.dmp	family_sectoprat
behavioral2/memory/2308-32-0x0000000000060000-0x000000000007E000-memory.dmp	family_sectoprat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5052-1-0x0000000000AA0000-0x0000000000E12000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
C:\ProgramData\HMC.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
C:\ProgramData\build.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/3340-27-0x0000000000AC0000-0x0000000000DCC000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/2308-32-0x0000000000060000-0x000000000007E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables packed with ConfuserEx Mod 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5052-1-0x0000000000AA0000-0x0000000000E12000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
C:\ProgramData\HMC.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/3340-27-0x0000000000AC0000-0x0000000000DCC000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe

Executes dropped EXE 2 IoCs

Processes:

HMC.exebuild.exe

pid process

3340 HMC.exe
2308 build.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

build.exe

pid process

2308 build.exe
2308 build.exe
2308 build.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 2308 build.exe

pid	process
3340	HMC.exe
2308	build.exe

pid	process
2308	build.exe
2308	build.exe
2308	build.exe

description	pid	process
Token: SeDebugPrivilege	2308	build.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe

description	pid	process	target process
PID 5052 wrote to memory of 3340	5052	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 5052 wrote to memory of 3340	5052	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 5052 wrote to memory of 2308	5052	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 5052 wrote to memory of 2308	5052	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 5052 wrote to memory of 2308	5052	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe

C:\Users\Admin\AppData\Local\Temp\e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe
"C:\Users\Admin\AppData\Local\Temp\e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\ProgramData\HMC.exe
  "C:\ProgramData\HMC.exe"
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\ProgramData\build.exe
  "C:\ProgramData\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HMC.exe

Filesize
3.0MB

MD5
6e4727684bbce2a7e6ce6824792c5cd8

SHA1
d20e40c0e81476dbecdbe859931a25d279fc055e

SHA256
3c0d3ca35dcf977eade9897106a46ae8def8d1eecd757cc07e31bd13b00d2198

SHA512
5c55bda7008c5c54c8122e7934c3ef0f70325138a4fbff4201d430fccac13d4ade2b9be8aa86e1b8969bc26f84303d2ccb1a20cd1980ba7a85013d37a0024200

Download Submit
C:\ProgramData\build.exe

Filesize
96KB

MD5
d1af2776a0515fa6de91acb0a442048d

SHA1
78c76b53352d5eb9f2761d19a3063b203d369bad

SHA256
972d6d5273ea9f4615e77d13fed4c51edd7ecc263112f1ce90f8847199b5a248

SHA512
b96feea2fff7f32fe3ed27c55b414bd56a56a680e2f056c8ababa278e753de680eb17ce509c1665de8477b07499ecdf0671bb36dd6515df130d1d32c0982ab5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp972.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp997.tmp

Filesize
100KB

MD5
baa675ce4124ca3fc5033e2a2c53dbd1

SHA1
2dcc5513270c723fff6148dd2f8196081f83bb16

SHA256
22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4

SHA512
047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp

Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C8.tmp

Filesize
228KB

MD5
d4022bef8bce579c21975ccbea962577

SHA1
f476789f6836feb7650caa4fd8944802e05cc772

SHA256
235496d27137624190e6e4526b289f215efa617960b9b1261001ac2db258e08d

SHA512
f94abffd3963d5baf2eca43924b87d31a7dc60de2f0a8b419a21c250bbf09417b37bd1285c746e59aa95a3b20a2a2b939e5b71c249a105088c8d6ab1f7e609ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA03.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/2308-44-0x0000000007DC0000-0x0000000007DDE000-memory.dmp

Filesize
120KB

Download
memory/2308-41-0x0000000007AF0000-0x0000000007CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-32-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2308-33-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/2308-35-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/2308-36-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/2308-34-0x0000000005AF0000-0x0000000006108000-memory.dmp

Filesize
6.1MB

Download
memory/2308-37-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/2308-38-0x0000000005890000-0x00000000058DC000-memory.dmp

Filesize
304KB

Download
memory/2308-39-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download
memory/2308-45-0x0000000007FC0000-0x0000000008026000-memory.dmp

Filesize
408KB

Download
memory/2308-43-0x00000000079E0000-0x0000000007A56000-memory.dmp

Filesize
472KB

Download
memory/2308-42-0x00000000081F0000-0x000000000871C000-memory.dmp

Filesize
5.2MB

Download
memory/3340-40-0x00007FFFAC1A0000-0x00007FFFACC61000-memory.dmp

Filesize
10.8MB

Download
memory/3340-30-0x00007FFFAC1A0000-0x00007FFFACC61000-memory.dmp

Filesize
10.8MB

Download
memory/3340-27-0x0000000000AC0000-0x0000000000DCC000-memory.dmp

Filesize
3.0MB

Download
memory/3340-28-0x00007FFFAC1A0000-0x00007FFFACC61000-memory.dmp

Filesize
10.8MB

Download
memory/5052-29-0x00007FFFAC1A0000-0x00007FFFACC61000-memory.dmp

Filesize
10.8MB

Download
memory/5052-0-0x00007FFFAC1A3000-0x00007FFFAC1A5000-memory.dmp

Filesize
8KB

Download
memory/5052-2-0x00007FFFAC1A0000-0x00007FFFACC61000-memory.dmp

Filesize
10.8MB

Download
memory/5052-1-0x0000000000AA0000-0x0000000000E12000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads