redline | 4c729bce0fed845f963ff70d77bc3a57affd2afab9c556244f044695bd4875ed

General

Target

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe
Size

3.4MB
MD5

db427cc5464c265577871c31bc1065d0
SHA1

796cf29ee18ef8997b901295326f18dbe0d0a7dd
SHA256

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5
SHA512

5002167b41cd4460417d72a283aded7d0c7c9fc171cc6996abd5fbcd02f0fbb217164e189a042631d4abf5f76d84b7b24b94008d8027b5a86b2f19523c1bc993
SSDEEP

24576:TVsQ6BKfC+CWDU2fy6Uuri8MmOmbCYUz7PH8Zeaj0HM3ow5XtyB:TVeBB2kMOnYUvPb

Score

10^/10

redline sectoprat cheat infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

91.92.249.99:13359

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_redline
behavioral2/memory/3940-33-0x0000000000EC0000-0x0000000000EDE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2472-1-0x0000000000990000-0x0000000000D02000-memory.dmp	family_sectoprat
C:\ProgramData\HMC.exe	family_sectoprat
C:\ProgramData\build.exe	family_sectoprat
behavioral2/memory/4960-29-0x0000000000A30000-0x0000000000D3C000-memory.dmp	family_sectoprat
behavioral2/memory/3940-33-0x0000000000EC0000-0x0000000000EDE000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe

Executes dropped EXE 2 IoCs

Processes:

HMC.exebuild.exe

pid process

4960 HMC.exe
3940 build.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 3940 build.exe

pid	process
4960	HMC.exe
3940	build.exe

description	pid	process
Token: SeDebugPrivilege	3940	build.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe

description	pid	process	target process
PID 2472 wrote to memory of 4960	2472	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 2472 wrote to memory of 4960	2472	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	HMC.exe
PID 2472 wrote to memory of 3940	2472	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 2472 wrote to memory of 3940	2472	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe
PID 2472 wrote to memory of 3940	2472	e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe	build.exe

C:\Users\Admin\AppData\Local\Temp\e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe
"C:\Users\Admin\AppData\Local\Temp\e1dbb4d7308b83fa578a49acb3f8d23b643824ba5626ee3c4b7abd7b6c4f7ac5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472
- C:\ProgramData\HMC.exe
  "C:\ProgramData\HMC.exe"
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\ProgramData\build.exe
  "C:\ProgramData\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HMC.exe

Filesize
3.0MB

MD5
6e4727684bbce2a7e6ce6824792c5cd8

SHA1
d20e40c0e81476dbecdbe859931a25d279fc055e

SHA256
3c0d3ca35dcf977eade9897106a46ae8def8d1eecd757cc07e31bd13b00d2198

SHA512
5c55bda7008c5c54c8122e7934c3ef0f70325138a4fbff4201d430fccac13d4ade2b9be8aa86e1b8969bc26f84303d2ccb1a20cd1980ba7a85013d37a0024200

Download Submit
C:\ProgramData\build.exe

Filesize
96KB

MD5
d1af2776a0515fa6de91acb0a442048d

SHA1
78c76b53352d5eb9f2761d19a3063b203d369bad

SHA256
972d6d5273ea9f4615e77d13fed4c51edd7ecc263112f1ce90f8847199b5a248

SHA512
b96feea2fff7f32fe3ed27c55b414bd56a56a680e2f056c8ababa278e753de680eb17ce509c1665de8477b07499ecdf0671bb36dd6515df130d1d32c0982ab5c

Download Submit
memory/2472-30-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/2472-1-0x0000000000990000-0x0000000000D02000-memory.dmp

Filesize
3.4MB

Download
memory/2472-2-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/2472-0-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp

Filesize
8KB

Download
memory/2472-27-0x000000001B9F0000-0x000000001BB99000-memory.dmp

Filesize
1.7MB

Download
memory/3940-38-0x00000000063B0000-0x00000000063EC000-memory.dmp

Filesize
240KB

Download
memory/3940-33-0x0000000000EC0000-0x0000000000EDE000-memory.dmp

Filesize
120KB

Download
memory/3940-35-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/3940-34-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/3940-36-0x0000000006990000-0x0000000006FA8000-memory.dmp

Filesize
6.1MB

Download
memory/3940-37-0x0000000005910000-0x0000000005922000-memory.dmp

Filesize
72KB

Download
memory/3940-39-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3940-40-0x0000000008320000-0x000000000842A000-memory.dmp

Filesize
1.0MB

Download
memory/4960-28-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/4960-31-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/4960-29-0x0000000000A30000-0x0000000000D3C000-memory.dmp

Filesize
3.0MB

Download
memory/4960-41-0x000000001BB80000-0x000000001BD29000-memory.dmp

Filesize
1.7MB

Download
memory/4960-42-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads