redline | 3c0d3ca35dcf977eade9897106a46ae8def8d1eecd757cc07e31bd13b00d2198

Analysis

max time kernel
146s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HMC.exe
Size

3.0MB
MD5

6e4727684bbce2a7e6ce6824792c5cd8
SHA1

d20e40c0e81476dbecdbe859931a25d279fc055e
SHA256

3c0d3ca35dcf977eade9897106a46ae8def8d1eecd757cc07e31bd13b00d2198
SHA512

5c55bda7008c5c54c8122e7934c3ef0f70325138a4fbff4201d430fccac13d4ade2b9be8aa86e1b8969bc26f84303d2ccb1a20cd1980ba7a85013d37a0024200
SSDEEP

24576:fVsQ6BKfC+CWDU2fy6Uuri8MmOmbCYUz7PH8Zeaj0HM3ow5Xty:fVeBB2kMOnYUvPb

Score

10^/10

redline sectoprat checker infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

CHECKER

41.216.183.150:32356

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_redline
behavioral1/memory/1916-19-0x0000000000F70000-0x0000000000F8E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2936-1-0x0000000000260000-0x000000000056C000-memory.dmp	family_sectoprat
C:\ProgramData\build.exe	family_sectoprat
behavioral1/memory/1916-19-0x0000000000F70000-0x0000000000F8E000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

HMC.exebuild.exe

pid process

1720 HMC.exe
1916 build.exe
Loads dropped DLL 6 IoCs

Processes:

HMC.exeWerFault.exe

pid process

2936 HMC.exe
2548 WerFault.exe
2548 WerFault.exe
2548 WerFault.exe
2548 WerFault.exe
2548 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 1916 build.exe

pid	process
1720	HMC.exe
1916	build.exe

pid	process
2936	HMC.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1916	build.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

HMC.exeHMC.exe

description	pid	process	target process
PID 2936 wrote to memory of 1720	2936	HMC.exe	HMC.exe
PID 2936 wrote to memory of 1720	2936	HMC.exe	HMC.exe
PID 2936 wrote to memory of 1720	2936	HMC.exe	HMC.exe
PID 2936 wrote to memory of 1916	2936	HMC.exe	build.exe
PID 2936 wrote to memory of 1916	2936	HMC.exe	build.exe
PID 2936 wrote to memory of 1916	2936	HMC.exe	build.exe
PID 2936 wrote to memory of 1916	2936	HMC.exe	build.exe
PID 1720 wrote to memory of 2548	1720	HMC.exe	WerFault.exe
PID 1720 wrote to memory of 2548	1720	HMC.exe	WerFault.exe
PID 1720 wrote to memory of 2548	1720	HMC.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\HMC.exe
"C:\Users\Admin\AppData\Local\Temp\HMC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936

C:\ProgramData\HMC.exe
"C:\ProgramData\HMC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1720 -s 568
3⤵
- Loads dropped DLL
PID:2548

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\build.exe
Filesize
96KB

MD5
3618d640f96e5d7858cd7fbd2d065dbe

SHA1
7c0565f3f3e7cde72309e0b9032017f443d08b25

SHA256
410bbaa054722728177d773503246f5c289ba40cdbab793b42ce638e330b2472

SHA512
8b8234271d4f910378f9965d689d394938a45eb460e37031e0638c9f6635e307e714841fb04807003b769f5caf444344462d5174d980cd87e43849e8e1bebd10

Download Submit
\ProgramData\HMC.exe
Filesize
2.6MB

MD5
0bd541037d1794d63bb58654f1e897c5

SHA1
a901fc2bc1fcc672b6dfee0d3e93b4ca8f11c710

SHA256
2e8931e43c5674bc641651868ef311e2d3407e0132325c0795bdf4f5404fb30f

SHA512
85412b5357e65ceebdd1f460e4764e3b5b11c242250500f9f55fdbaa0d2c6aa15cf0f68f7e1d88369a013a2d16c95e235db68dd48590e306de59cf01fb7128c9

Download Submit
memory/1720-14-0x000000013F940000-0x000000013FBE4000-memory.dmp

Filesize
2.6MB

Download
memory/1720-16-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-17-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-25-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-19-0x0000000000F70000-0x0000000000F8E000-memory.dmp

Filesize
120KB

Download
memory/2936-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000000260000-0x000000000056C000-memory.dmp

Filesize
3.0MB

Download
memory/2936-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-18-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download