redline | 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5

General

Target

7D2707C4A1D779E025917F865C103E4B.exe
Size

776KB
MD5

7d2707c4a1d779e025917f865c103e4b
SHA1

62c0d32e2662d32951b4aa172a2be8be7f3b0fbb
SHA256

13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5
SHA512

c9ae482eba6b3eef6d1a96838862fa79a96b99297effa99255647f45e73045e9a2bbeb287a13486ac49d647947a0a7fad0f43aa59fe65174a328b227e08dbb6f
SSDEEP

24576:LYYSZ54auRRAfJhXwlsnGSKxyBp9eGqqxO5X:2GyjUP9X

Score

10^/10

redline sectoprat cheat execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.153:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-49-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1844-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1844-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1844-44-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1844-53-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-49-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1844-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1844-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1844-44-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1844-53-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2588 powershell.exe
2560 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

PO.exePO.exe

pid process

2168 PO.exe
1844 PO.exe

pid	process
2588	powershell.exe
2560	powershell.exe

pid	process
2168	PO.exe
1844	PO.exe

Loads dropped DLL 5 IoCs

Processes:

7D2707C4A1D779E025917F865C103E4B.exePO.exe

pid	process
2940	7D2707C4A1D779E025917F865C103E4B.exe
2940	7D2707C4A1D779E025917F865C103E4B.exe
2940	7D2707C4A1D779E025917F865C103E4B.exe
2940	7D2707C4A1D779E025917F865C103E4B.exe
2168	PO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2168 set thread context of 1844 2168 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PO.exepowershell.exepowershell.exe

pid process

2168 PO.exe
2168 PO.exe
2168 PO.exe
2168 PO.exe
2588 powershell.exe
2560 powershell.exe

description	pid	process	target process
PID 2168 set thread context of 1844	2168	PO.exe	PO.exe

pid	process
2616	schtasks.exe

pid	process
2168	PO.exe
2168	PO.exe
2168	PO.exe
2168	PO.exe
2588	powershell.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

description	pid	process
Token: SeDebugPrivilege	2168	PO.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1844	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2948 DllHost.exe

pid	process
2948	DllHost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

7D2707C4A1D779E025917F865C103E4B.exePO.exe

description	pid	process	target process
PID 2940 wrote to memory of 2168	2940	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2940 wrote to memory of 2168	2940	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2940 wrote to memory of 2168	2940	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2940 wrote to memory of 2168	2940	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2168 wrote to memory of 2588	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2588	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2588	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2588	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2560	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2560	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2560	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2560	2168	PO.exe	powershell.exe
PID 2168 wrote to memory of 2616	2168	PO.exe	schtasks.exe
PID 2168 wrote to memory of 2616	2168	PO.exe	schtasks.exe
PID 2168 wrote to memory of 2616	2168	PO.exe	schtasks.exe
PID 2168 wrote to memory of 2616	2168	PO.exe	schtasks.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe
PID 2168 wrote to memory of 1844	2168	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\7D2707C4A1D779E025917F865C103E4B.exe
"C:\Users\Admin\AppData\Local\Temp\7D2707C4A1D779E025917F865C103E4B.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AdCwxzRPlmXEbv.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AdCwxzRPlmXEbv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C86.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C86.tmp
Filesize
1KB

MD5
59398cb4393d2a7053e0eb51e9e744a7

SHA1
77b40e0710ab92bca27621998f7a7d6499654437

SHA256
32af53095cd831143b4c2fb0432a1991c19c75b09f6ce92c70b9250eef7dfc3a

SHA512
4176441e65092b5ccc02f9962823592a4ed401bda5214fe00933013e20c490edc2e8952f82a122842010f70c80c14c8b088ac51954af7cf3461acf03d2141205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
15743e4964429389242389a55db31ed5

SHA1
3e30c6142e9252e52bbae5025f5f73f493749865

SHA256
8cd332c2154c7e630d6f2d11bdfd184e75d8f0c975a197ceca2f93d1d508531c

SHA512
b184b824b89c6e94da970edf4d7137b66b2a181af528d3644212a7df79afbb0ddff574089b58a63af9144daadffc28dc76937b1aa282dde2a99f794b60aba626

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
675KB

MD5
22c86949178066a53d70309553f8b44e

SHA1
eb4a99acdc4b638528902c8e8480bc1f58a457b5

SHA256
b9d43a80163b702f8c3d2aac0409bb2d945368e68b9c4cbe29e888ceff2fb953

SHA512
0364deec86a6658b6d5b9085fd84f4cfef57b59a45ecfa5625de6a0e8bb6c5387644af66a0374f053c23045a370717abf3c97a8376deed3ed8cb01a7206cbb72

Download Submit
memory/1844-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-49-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-23-0x0000000000830000-0x00000000008A2000-memory.dmp

Filesize
456KB

Download
memory/2168-26-0x0000000004460000-0x00000000044C0000-memory.dmp

Filesize
384KB

Download
memory/2168-25-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2168-24-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2168-21-0x0000000000CA0000-0x0000000000D4A000-memory.dmp

Filesize
680KB

Download
memory/2940-4-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/2948-5-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2948-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2948-54-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads