redline | 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d

Analysis

max time kernel
135s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17888a2c90547f557c1f88877d7353e0.exe
Size

619KB
MD5

17888a2c90547f557c1f88877d7353e0
SHA1

582760951fd4418ec3f949ab5d55a53ce578203d
SHA256

4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d
SHA512

cfe1ecc5b4e011e0f1281568519dbaf6b8b9bb73bd1a8d8fbc8547c2a846a24a2f7ccc273d182a086136c3689674fe74b1784717bcf094504e95fc4f4d67ca1d
SSDEEP

12288:iw2iN3skSKSIwpdj6kxlApT9NUYzKoXKMXPK6QD0GD7k0nVXB:iw19JSNIAdLL0WwhX8dvB

Score

10^/10

redline sectoprat 3 discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

94.156.8.28:65012

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4116-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4116-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2212 powershell.exe
4044 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17888a2c90547f557c1f88877d7353e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	17888a2c90547f557c1f88877d7353e0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

17888a2c90547f557c1f88877d7353e0.exe

description pid process target process

PID 1824 set thread context of 4116 1824 17888a2c90547f557c1f88877d7353e0.exe 17888a2c90547f557c1f88877d7353e0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4344 schtasks.exe

description	pid	process	target process
PID 1824 set thread context of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe

pid	process
4344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe17888a2c90547f557c1f88877d7353e0.exe

pid	process
2212	powershell.exe
2212	powershell.exe
4044	powershell.exe
4044	powershell.exe
2212	powershell.exe
4044	powershell.exe
4116	17888a2c90547f557c1f88877d7353e0.exe
4116	17888a2c90547f557c1f88877d7353e0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exe17888a2c90547f557c1f88877d7353e0.exe

description	pid	process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	4116	17888a2c90547f557c1f88877d7353e0.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

17888a2c90547f557c1f88877d7353e0.exe

description	pid	process	target process
PID 1824 wrote to memory of 2212	1824	17888a2c90547f557c1f88877d7353e0.exe	powershell.exe
PID 1824 wrote to memory of 2212	1824	17888a2c90547f557c1f88877d7353e0.exe	powershell.exe
PID 1824 wrote to memory of 2212	1824	17888a2c90547f557c1f88877d7353e0.exe	powershell.exe
PID 1824 wrote to memory of 4044	1824	17888a2c90547f557c1f88877d7353e0.exe	powershell.exe
PID 1824 wrote to memory of 4044	1824	17888a2c90547f557c1f88877d7353e0.exe	powershell.exe
PID 1824 wrote to memory of 4044	1824	17888a2c90547f557c1f88877d7353e0.exe	powershell.exe
PID 1824 wrote to memory of 4344	1824	17888a2c90547f557c1f88877d7353e0.exe	schtasks.exe
PID 1824 wrote to memory of 4344	1824	17888a2c90547f557c1f88877d7353e0.exe	schtasks.exe
PID 1824 wrote to memory of 4344	1824	17888a2c90547f557c1f88877d7353e0.exe	schtasks.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe
PID 1824 wrote to memory of 4116	1824	17888a2c90547f557c1f88877d7353e0.exe	17888a2c90547f557c1f88877d7353e0.exe

C:\Users\Admin\AppData\Local\Temp\17888a2c90547f557c1f88877d7353e0.exe
"C:\Users\Admin\AppData\Local\Temp\17888a2c90547f557c1f88877d7353e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\17888a2c90547f557c1f88877d7353e0.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FAwLPzxPWWF.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FAwLPzxPWWF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp665B.tmp"
2⤵
- Creates scheduled task(s)
PID:4344

C:\Users\Admin\AppData\Local\Temp\17888a2c90547f557c1f88877d7353e0.exe
"C:\Users\Admin\AppData\Local\Temp\17888a2c90547f557c1f88877d7353e0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\17888a2c90547f557c1f88877d7353e0.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
7909b9ed5134badc7fd9198ad90273ec

SHA1
14a3caef344cdb8c0ca4e11cac1d3f8b21ee69f7

SHA256
a0c0ec2a7e630c54e7350db1d80efebced30efd3f5ff39a4f0ace2ecc9145726

SHA512
2cbec58326b7c5a8e906a03f6ae6df107bf1ed1eb927969b0709a4f924d221d6158efdc8f74d596dfabfe3462986d01c3b563655dff7f52075239dfc103cc220

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_en4ue0kw.5wa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp665B.tmp
Filesize
1KB

MD5
aa08c3efb6024eedf878eab32d279fea

SHA1
f3abc9172202732ed4f5b925596a3dada18d9f62

SHA256
5c952555bf723dba855414022792ed0124fcb96b500df946b5ae8fbc85a0f4a4

SHA512
bdedf96e5eeb1875727ec3c3a1ad14e77e06bb9ec27ace304592593500116ff3c48b6bfedf791875d025f28f971da54e60d03b3343f3471b0e07e55eceb4986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp86FD.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8703.tmp
Filesize
100KB

MD5
079a696bcf1d85d290ea94324f8fea01

SHA1
15819c37e62568756e0c64af555b19c36f2b03c9

SHA256
97adfff767fb00f67212b0e36ade8d75f97f1e3619e1658193003e306d8a1afa

SHA512
7ffd8f6f23838beaa4ef4dbfce8347fb8725089e4271d8a2699c19ac5a42fb3868122d39fe0e13a6f132160934a81fe2c41c7d679f1236ad3c0f85b177ba0b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp872E.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8734.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp873A.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8765.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/1824-9-0x0000000008BB0000-0x0000000008C4C000-memory.dmp

Filesize
624KB

Download
memory/1824-8-0x0000000006450000-0x00000000064B0000-memory.dmp

Filesize
384KB

Download
memory/1824-7-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1824-6-0x0000000005400000-0x000000000541E000-memory.dmp

Filesize
120KB

Download
memory/1824-5-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1824-4-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/1824-3-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/1824-36-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1824-2-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/1824-0-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/1824-1-0x0000000000550000-0x00000000005F0000-memory.dmp

Filesize
640KB

Download
memory/2212-84-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

Filesize
104KB

Download
memory/2212-81-0x0000000007B90000-0x0000000007BA1000-memory.dmp

Filesize
68KB

Download
memory/2212-14-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/2212-25-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/2212-15-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-49-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/2212-52-0x0000000006980000-0x00000000069CC000-memory.dmp

Filesize
304KB

Download
memory/2212-16-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/2212-17-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-19-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/2212-54-0x0000000007610000-0x0000000007642000-memory.dmp

Filesize
200KB

Download
memory/2212-65-0x0000000006C20000-0x0000000006C3E000-memory.dmp

Filesize
120KB

Download
memory/2212-66-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/2212-55-0x0000000075980000-0x00000000759CC000-memory.dmp

Filesize
304KB

Download
memory/2212-22-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/2212-92-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-85-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

Filesize
32KB

Download
memory/2212-79-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/2212-21-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/4044-91-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-20-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-80-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/4044-26-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-78-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/4044-37-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-67-0x0000000075980000-0x00000000759CC000-memory.dmp

Filesize
304KB

Download
memory/4044-77-0x00000000073F0000-0x0000000007A6A000-memory.dmp

Filesize
6.5MB

Download
memory/4044-83-0x0000000006FF0000-0x0000000007004000-memory.dmp

Filesize
80KB

Download
memory/4044-82-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

Filesize
56KB

Download
memory/4116-95-0x0000000006920000-0x0000000006996000-memory.dmp

Filesize
472KB

Download
memory/4116-94-0x0000000006DB0000-0x00000000072DC000-memory.dmp

Filesize
5.2MB

Download
memory/4116-96-0x0000000006C90000-0x0000000006CAE000-memory.dmp

Filesize
120KB

Download
memory/4116-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4116-53-0x00000000053D0000-0x00000000054DA000-memory.dmp

Filesize
1.0MB

Download
memory/4116-50-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/4116-51-0x0000000005120000-0x000000000515C000-memory.dmp

Filesize
240KB

Download
memory/4116-48-0x0000000005800000-0x0000000005E18000-memory.dmp

Filesize
6.1MB

Download
memory/4116-93-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download