redline | e958c060aeac484632b20e3e4dc93af45eb61f483ced432778ddfc5ec9acd552

General

Target

6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
Size

855KB
MD5

6930cffe3d9c4fcb467cd4be91e865b0
SHA1

6a96e61ec3ce3b25150adad642d5b0aac034041b
SHA256

e958c060aeac484632b20e3e4dc93af45eb61f483ced432778ddfc5ec9acd552
SHA512

5b27fe5294533d32f07a3c8c2134fdc481b13d069b819b4cf999f2cc3e5845bba2dd85023e82cfe90ba1311ea3d9a6d8f3491f6f27ed0c9c911d22f53746e42a
SSDEEP

24576:vxLsMs8WdDP89WPncPKXCTu/wJUHIXX4u5:tsldI9WPcyQcIX4A

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.55:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2588-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2588-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2588-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2588-40-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2588-38-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2588-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2588-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2588-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2588-40-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2588-38-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2540 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

PO.exePO.exe

pid process

2680 PO.exe
2588 PO.exe

pid	process
2540	powershell.exe

pid	process
2680	PO.exe
2588	PO.exe

Loads dropped DLL 5 IoCs

Processes:

6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exePO.exe

pid	process
1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
2680	PO.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2680 set thread context of 2588 2680 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2680 set thread context of 2588	2680	PO.exe	PO.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

PO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	PO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PO.exepowershell.exePO.exe

pid process

2680 PO.exe
2680 PO.exe
2680 PO.exe
2680 PO.exe
2540 powershell.exe
2588 PO.exe
2588 PO.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO.exePO.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2680 PO.exe
Token: SeDebugPrivilege 2588 PO.exe
Token: SeDebugPrivilege 2540 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1256 DllHost.exe

pid	process
2680	PO.exe
2680	PO.exe
2680	PO.exe
2680	PO.exe
2540	powershell.exe
2588	PO.exe
2588	PO.exe

description	pid	process
Token: SeDebugPrivilege	2680	PO.exe
Token: SeDebugPrivilege	2588	PO.exe
Token: SeDebugPrivilege	2540	powershell.exe

pid	process
1256	DllHost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exePO.exe

description	pid	process	target process
PID 1148 wrote to memory of 2680	1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe	PO.exe
PID 1148 wrote to memory of 2680	1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe	PO.exe
PID 1148 wrote to memory of 2680	1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe	PO.exe
PID 1148 wrote to memory of 2680	1148	6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe	PO.exe
PID 2680 wrote to memory of 2540	2680	PO.exe	powershell.exe
PID 2680 wrote to memory of 2540	2680	PO.exe	powershell.exe
PID 2680 wrote to memory of 2540	2680	PO.exe	powershell.exe
PID 2680 wrote to memory of 2540	2680	PO.exe	powershell.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe
PID 2680 wrote to memory of 2588	2680	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab628C.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62DD.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64FF.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6514.tmp
Filesize
92KB

MD5
b62ac03881848df6115ec34b7e71e829

SHA1
dd6a9fbe6ae809269c02165027eeb373f7734460

SHA256
9870a75eee4a9c3b6b69f11a92b3a821f7026175483855497956d27bba9993d5

SHA512
5257b9e3b6dc0022144bf5be29a4ce3a836af7b4ed83dc19d4c69bc677bcf87e417737ff97742a128d35bb4ddd1c4ef80f4dd4ed656cad3cdccd753fc1e3c3aa

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
553KB

MD5
9093edf1e63b2b7ef4902d23edcc9d7e

SHA1
122d585a2a769760854021aa9644e361e88a0e93

SHA256
6fecc3fa2e33a161f2b9770322e998d7d4836202e8ad9c53c38f10673f718f4f

SHA512
4c58ae5bac5a4d037be0bcefb7dcde358c8ed97feeaad07258b46700f71ea136f1adfe5b9e6c0d16c52be84a503a2dfb2e0970fd53cbb84b035175d1b21a7f10

Download Submit
memory/1148-4-0x0000000002580000-0x0000000002582000-memory.dmp

Filesize
8KB

Download
memory/1256-5-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1256-6-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1256-184-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2588-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2680-25-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2680-24-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2680-23-0x0000000000550000-0x000000000056E000-memory.dmp

Filesize
120KB

Download
memory/2680-21-0x0000000001150000-0x00000000011DC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads