redline | f2d3c92e1f5ab8109ec4f960165a1d8d5f5cee846b51b44d77ab4a1ddcba10d7

General

Target

342d3e7071f207470417fa3fe3ff9280.exe
Size

803KB
MD5

342d3e7071f207470417fa3fe3ff9280
SHA1

5422472887421624d087ae9d768b1441352a7d03
SHA256

f2d3c92e1f5ab8109ec4f960165a1d8d5f5cee846b51b44d77ab4a1ddcba10d7
SHA512

a07953bf15ceb922bf0ed3cae84da19db47ba67252a4e7af682a493f659bd2574a6e0c4548b12527a61a401c872221db25d5fe05aa547455c9dcea46f02b9d81
SSDEEP

24576:0/4RPLub9awtRZykfWJ/+IyDHvipQPAOKrf7:09tXVfWcIybiF7r7

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.124:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2172-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2172-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2172-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2172-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2172-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2172-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2172-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2172-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2568 powershell.exe
2644 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

342d3e7071f207470417fa3fe3ff9280.exe

description pid process target process

PID 1996 set thread context of 2172 1996 342d3e7071f207470417fa3fe3ff9280.exe 342d3e7071f207470417fa3fe3ff9280.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2788 schtasks.exe

pid	process
2568	powershell.exe
2644	powershell.exe

description	pid	process	target process
PID 1996 set thread context of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe

pid	process
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

342d3e7071f207470417fa3fe3ff9280.exepowershell.exepowershell.exe342d3e7071f207470417fa3fe3ff9280.exe

pid	process
1996	342d3e7071f207470417fa3fe3ff9280.exe
1996	342d3e7071f207470417fa3fe3ff9280.exe
1996	342d3e7071f207470417fa3fe3ff9280.exe
1996	342d3e7071f207470417fa3fe3ff9280.exe
2644	powershell.exe
2568	powershell.exe
2172	342d3e7071f207470417fa3fe3ff9280.exe
2172	342d3e7071f207470417fa3fe3ff9280.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

342d3e7071f207470417fa3fe3ff9280.exepowershell.exepowershell.exe342d3e7071f207470417fa3fe3ff9280.exe

description	pid	process
Token: SeDebugPrivilege	1996	342d3e7071f207470417fa3fe3ff9280.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2172	342d3e7071f207470417fa3fe3ff9280.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

342d3e7071f207470417fa3fe3ff9280.exe

description	pid	process	target process
PID 1996 wrote to memory of 2568	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2568	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2568	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2568	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2644	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2644	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2644	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2644	1996	342d3e7071f207470417fa3fe3ff9280.exe	powershell.exe
PID 1996 wrote to memory of 2788	1996	342d3e7071f207470417fa3fe3ff9280.exe	schtasks.exe
PID 1996 wrote to memory of 2788	1996	342d3e7071f207470417fa3fe3ff9280.exe	schtasks.exe
PID 1996 wrote to memory of 2788	1996	342d3e7071f207470417fa3fe3ff9280.exe	schtasks.exe
PID 1996 wrote to memory of 2788	1996	342d3e7071f207470417fa3fe3ff9280.exe	schtasks.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe
PID 1996 wrote to memory of 2172	1996	342d3e7071f207470417fa3fe3ff9280.exe	342d3e7071f207470417fa3fe3ff9280.exe

C:\Users\Admin\AppData\Local\Temp\342d3e7071f207470417fa3fe3ff9280.exe
"C:\Users\Admin\AppData\Local\Temp\342d3e7071f207470417fa3fe3ff9280.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\342d3e7071f207470417fa3fe3ff9280.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WXCJXrXZfcXsUb.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WXCJXrXZfcXsUb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4ECC.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Users\Admin\AppData\Local\Temp\342d3e7071f207470417fa3fe3ff9280.exe
"C:\Users\Admin\AppData\Local\Temp\342d3e7071f207470417fa3fe3ff9280.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4ECC.tmp
Filesize
1KB

MD5
dfa0148f0319cbed366259aafdd3d002

SHA1
2fbbaf91290ef2e899e056eaaa56eb4375435e5a

SHA256
6d6489ab4cbee9d1bc6acdd20226e4efdc11be52015dcc7c2a889b46f71de83e

SHA512
7a8e4b0a4fc85ff0928b9156fe1422bf9436e9e9b4afd2b50b21f3a40db435f632ce284ed39664439cee6d11de84aa1a3764cd63c0bfb4c8e355be6642a75a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7773.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7789.tmp
Filesize
92KB

MD5
bbe71b58e84c50336ee2d3bad3609c39

SHA1
bdd3227b48977e583127425cbc2f86ff4077ba10

SHA256
b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c

SHA512
07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cee043a6babd4559902ebf453e8960f2

SHA1
490f3d13de406bc246fd91e00f7e26daa7507c56

SHA256
e87da60b1b86f006f74ce457079569777498f156e5314bc6f30d8953b61bfc20

SHA512
19689ab92bf7dcd1eb9eef6d055b9ad68e8eb5dc413c7b4e767c039e31de06cb35d84e90fe848b0d4cbb147d4d0b2d6172c891e77d2efdfa7204c16ab7f4a71f

Download Submit
memory/1996-32-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-1-0x0000000001160000-0x000000000122A000-memory.dmp

Filesize
808KB

Download
memory/1996-2-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-3-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/1996-4-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1996-5-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1996-6-0x0000000004900000-0x000000000499A000-memory.dmp

Filesize
616KB

Download
memory/1996-0-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2172-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads