redline | b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32

General

Target

b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
Size

797KB
MD5

114f1c23daae885f851b9cf1fdaf8457
SHA1

82338420d02452dfbd4bed8ed753e50739f27484
SHA256

b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32
SHA512

262650ad16731df09db9f6f5c816d45e6e2b9bf72a3d8af30ec121d3a1f0fc6e402da3117ecee472af777c7a6e1ac8fa5cd5e7c4ab7517fc7d2d61a9d9659ddb
SSDEEP

24576:jqxzXQRlUnZRJOU3MlrQvB5LcFFVo7S+vRSBJIZJi:jq91ZR0U3MlMvHcFFVo7EBAJi

Score

10^/10

redline sectoprat cheat execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.78:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2656-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2656-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2656-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2656-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2656-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2656-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2656-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2656-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2744 powershell.exe
2800 powershell.exe

pid	process
2744	powershell.exe
2800	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe

description	pid	process	target process
PID 836 set thread context of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2736 schtasks.exe

pid	process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exepowershell.exepowershell.exe

pid	process
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
2800	powershell.exe
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exepowershell.exepowershell.exeb77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe

description	pid	process
Token: SeDebugPrivilege	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2656	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe

description	pid	process	target process
PID 836 wrote to memory of 2744	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2744	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2744	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2744	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2800	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2800	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2800	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2800	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	powershell.exe
PID 836 wrote to memory of 2736	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	schtasks.exe
PID 836 wrote to memory of 2736	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	schtasks.exe
PID 836 wrote to memory of 2736	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	schtasks.exe
PID 836 wrote to memory of 2736	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	schtasks.exe
PID 836 wrote to memory of 2404	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2404	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2404	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2404	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
PID 836 wrote to memory of 2656	836	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe	b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe

C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
"C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vQYTRFwVF.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQYTRFwVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
"C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe"
2⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe
"C:\Users\Admin\AppData\Local\Temp\b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp
Filesize
1KB

MD5
2137d76ee52735f8ddafab5a621af854

SHA1
86ccdf6ca350246a2c7cfda6911fc06e1ab2a49f

SHA256
823986b66c681a7a47d8a3f33f1ef6be319a658ba042cd260697f6fe2feb451b

SHA512
61788f3d2d609bdd210fe7c5a841e851e75abd166383a951b01f1c93a5dcb5a5c34b16f03050d3e228c7728a44900cb2fde67129bc08041ff3932b592592cc4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d434c05fd34c69d1c6ad9d4ddec62f17

SHA1
49d9f7f1e4f574a7e7811fed817e3e72fbcd629b

SHA256
fc205f5e0301d0c29c5538a8f8b2bf74ba24f2ec8ad6ebaa9703816d9420b24b

SHA512
61c46242e98d033dfd89213458280a51a94203bd6c77e97ba45c418f84ab967473a687191cb5fc47602d7e82dec2d0739151a5b29dd8d0aef56dd4a23236d62a

Download Submit
memory/836-4-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/836-3-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download
memory/836-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/836-5-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/836-6-0x00000000022F0000-0x000000000238A000-memory.dmp

Filesize
616KB

Download
memory/836-7-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/836-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/836-1-0x0000000000230000-0x00000000002FA000-memory.dmp

Filesize
808KB

Download
memory/836-33-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2656-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads