redline | 4c729bce0fed845f963ff70d77bc3a57affd2afab9c556244f044695bd4875ed

General

Target

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe
Size

3.4MB
MD5

db427cc5464c265577871c31bc1065d0
SHA1

796cf29ee18ef8997b901295326f18dbe0d0a7dd
SHA256

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5
SHA512

5002167b41cd4460417d72a283aded7d0c7c9fc171cc6996abd5fbcd02f0fbb217164e189a042631d4abf5f76d84b7b24b94008d8027b5a86b2f19523c1bc993
SSDEEP

24576:TVsQ6BKfC+CWDU2fy6Uuri8MmOmbCYUz7PH8Zeaj0HM3ow5XtyB:TVeBB2kMOnYUvPb

Score

10^/10

redline sectoprat cheat infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

91.92.249.99:13359

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_redline
behavioral1/memory/2304-18-0x00000000012D0000-0x00000000012EE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-1-0x00000000002E0000-0x0000000000652000-memory.dmp	family_sectoprat
C:\ProgramData\HMC.exe	family_sectoprat
C:\ProgramData\build.exe	family_sectoprat
behavioral1/memory/1188-14-0x0000000000C50000-0x0000000000F5C000-memory.dmp	family_sectoprat
behavioral1/memory/2304-18-0x00000000012D0000-0x00000000012EE000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

HMC.exebuild.exe

pid process

1188 HMC.exe
2304 build.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 2304 build.exe

pid	process
1188	HMC.exe
2304	build.exe

description	pid	process
Token: SeDebugPrivilege	2304	build.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exeHMC.exe

description	pid	process	target process
PID 3024 wrote to memory of 1188	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 3024 wrote to memory of 1188	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 3024 wrote to memory of 1188	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 3024 wrote to memory of 2304	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 3024 wrote to memory of 2304	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 3024 wrote to memory of 2304	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 3024 wrote to memory of 2304	3024	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 1188 wrote to memory of 2264	1188	HMC.exe	WerFault.exe
PID 1188 wrote to memory of 2264	1188	HMC.exe	WerFault.exe
PID 1188 wrote to memory of 2264	1188	HMC.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe
"C:\Users\Admin\AppData\Local\Temp\e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\ProgramData\HMC.exe
  "C:\ProgramData\HMC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1188 -s 680
    3⤵
    PID:2264
- C:\ProgramData\build.exe
  "C:\ProgramData\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HMC.exe

Filesize
3.0MB

MD5
6e4727684bbce2a7e6ce6824792c5cd8

SHA1
d20e40c0e81476dbecdbe859931a25d279fc055e

SHA256
3c0d3ca35dcf977eade9897106a46ae8def8d1eecd757cc07e31bd13b00d2198

SHA512
5c55bda7008c5c54c8122e7934c3ef0f70325138a4fbff4201d430fccac13d4ade2b9be8aa86e1b8969bc26f84303d2ccb1a20cd1980ba7a85013d37a0024200

Download Submit
C:\ProgramData\build.exe

Filesize
96KB

MD5
d1af2776a0515fa6de91acb0a442048d

SHA1
78c76b53352d5eb9f2761d19a3063b203d369bad

SHA256
972d6d5273ea9f4615e77d13fed4c51edd7ecc263112f1ce90f8847199b5a248

SHA512
b96feea2fff7f32fe3ed27c55b414bd56a56a680e2f056c8ababa278e753de680eb17ce509c1665de8477b07499ecdf0671bb36dd6515df130d1d32c0982ab5c

Download Submit
memory/1188-14-0x0000000000C50000-0x0000000000F5C000-memory.dmp

Filesize
3.0MB

Download
memory/1188-13-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1188-15-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1188-19-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-18-0x00000000012D0000-0x00000000012EE000-memory.dmp

Filesize
120KB

Download
memory/3024-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x00000000002E0000-0x0000000000652000-memory.dmp

Filesize
3.4MB

Download
memory/3024-2-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-17-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads