redline | a86c3fc17ce2011b277a937078aa1cba9d8c52e8869a15535d6cfd3db196755e

General

Target

88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
Size

809KB
MD5

15f948da0e0786ee883bc9714ee6b47a
SHA1

13d0747a12ce2783ac3a1d225d760cd5b2ed1aa1
SHA256

88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573
SHA512

006913022a08797087c1a47e89f1fba3beef5eb7f925631d507e841f361b56fe7dbefa1a1a60c0f5542742ad71c0b142ab5f4d280bfd9bc50bf5f7018c6bb31e
SSDEEP

24576:aJr8tE+sQJRRGM3sU+7sdCGNcArcotgiko7ehxaFpmx9:aJ4LP1MsdV5c+g5OiaFM/

Score

10^/10

redline sectoprat cheat execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.68:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/780-150-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/780-147-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/780-145-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/780-153-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/780-155-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/780-150-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/780-147-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/780-145-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/780-153-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/780-155-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1544 powershell.exe
1484 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

PO.exePO.exePO.exe

pid process

2652 PO.exe
780 PO.exe
2076 PO.exe

pid	process
1544	powershell.exe
1484	powershell.exe

pid	process
2652	PO.exe
780	PO.exe
2076	PO.exe

Loads dropped DLL 7 IoCs

Processes:

88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exePO.exe

pid	process
2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
2652	PO.exe
2652	PO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2652 set thread context of 780 2652 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1948 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

PO.exepowershell.exepowershell.exe

pid process

2652 PO.exe
2652 PO.exe
2652 PO.exe
2652 PO.exe
2652 PO.exe
2652 PO.exe
1544 powershell.exe
1484 powershell.exe

description	pid	process	target process
PID 2652 set thread context of 780	2652	PO.exe	PO.exe

pid	process
1948	schtasks.exe

pid	process
2652	PO.exe
2652	PO.exe
2652	PO.exe
2652	PO.exe
2652	PO.exe
2652	PO.exe
1544	powershell.exe
1484	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

description	pid	process
Token: SeDebugPrivilege	2652	PO.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	780	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2576 DllHost.exe

pid	process
2576	DllHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exePO.exe

description	pid	process	target process
PID 2036 wrote to memory of 2652	2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe	PO.exe
PID 2036 wrote to memory of 2652	2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe	PO.exe
PID 2036 wrote to memory of 2652	2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe	PO.exe
PID 2036 wrote to memory of 2652	2036	88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe	PO.exe
PID 2652 wrote to memory of 1544	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1544	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1544	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1544	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1484	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1484	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1484	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1484	2652	PO.exe	powershell.exe
PID 2652 wrote to memory of 1948	2652	PO.exe	schtasks.exe
PID 2652 wrote to memory of 1948	2652	PO.exe	schtasks.exe
PID 2652 wrote to memory of 1948	2652	PO.exe	schtasks.exe
PID 2652 wrote to memory of 1948	2652	PO.exe	schtasks.exe
PID 2652 wrote to memory of 2076	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 2076	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 2076	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 2076	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe
PID 2652 wrote to memory of 780	2652	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
"C:\Users\Admin\AppData\Local\Temp\88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gsGRKUB.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gsGRKUB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B45.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp
Filesize
1KB

MD5
e454a1426c70effa82894c54096d3abb

SHA1
94d0ef330de0482aec2dc205f0ec20408096c815

SHA256
fc4df0cb427e56387f82531dc752f90dc396146e8d3cf61c70e56182d12f2016

SHA512
62cf7aa6ab129a062f833fa527ffd82ba59e5390cfc8f39618b71195ae009a66af9118cc46ff1e87133b0cb5cdeb8e24bab8ddffb4da1ef20570fe321aefd503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JG1CVSST7G30NF2PCFKQ.temp
Filesize
7KB

MD5
1f6731fb17b0252c56d3678677574efe

SHA1
24a2db5d6a2d60f22ab6153952a3b518515e8cd5

SHA256
8c358711f50eccfa414382b6956f400c16a5130eca0cf1c46fb66197059cf7d9

SHA512
65c9121ee40600c7d14c0c983f8880ee9d610e4cbf16665ff30b5c81f28e539483b6dc9397ea8ed13aa9b7be59addb801a35e945b9a3b84716658d9e0c091435

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
716KB

MD5
6da58e4a005e57e0eee2faf662dfd4ae

SHA1
2146c9d021ac262c918c4cdf5d5c842568ee2c87

SHA256
364a57fff4c2f5d8f2b35945016f4660ea9e583250e81c13d3da523d21cf33cf

SHA512
f0895ce9160e05c434f3b3bb5ab6907dd4a767b38ea19f276de446e1d62476b00b912f4fb432bb12a4cadf19e25310b5c7a716b6d51a0156a47bc6c31a10ceeb

Download Submit
memory/780-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/780-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-153-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-4-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/2576-5-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/2576-7-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2576-156-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2652-24-0x0000000000FB0000-0x0000000001064000-memory.dmp

Filesize
720KB

Download
memory/2652-126-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2652-125-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2652-124-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2652-123-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads