redline | 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5

General

Target

7D2707C4A1D779E025917F865C103E4B.exe
Size

776KB
MD5

7d2707c4a1d779e025917f865c103e4b
SHA1

62c0d32e2662d32951b4aa172a2be8be7f3b0fbb
SHA256

13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5
SHA512

c9ae482eba6b3eef6d1a96838862fa79a96b99297effa99255647f45e73045e9a2bbeb287a13486ac49d647947a0a7fad0f43aa59fe65174a328b227e08dbb6f
SSDEEP

24576:LYYSZ54auRRAfJhXwlsnGSKxyBp9eGqqxO5X:2GyjUP9X

Score

10^/10

redline sectoprat cheat execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.153:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/632-49-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/632-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/632-44-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/632-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/632-52-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/632-49-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/632-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/632-44-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/632-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/632-52-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2612 powershell.exe
2536 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

PO.exePO.exe

pid process

2916 PO.exe
632 PO.exe

pid	process
2612	powershell.exe
2536	powershell.exe

pid	process
2916	PO.exe
632	PO.exe

Loads dropped DLL 5 IoCs

Processes:

7D2707C4A1D779E025917F865C103E4B.exePO.exe

pid	process
2556	7D2707C4A1D779E025917F865C103E4B.exe
2556	7D2707C4A1D779E025917F865C103E4B.exe
2556	7D2707C4A1D779E025917F865C103E4B.exe
2556	7D2707C4A1D779E025917F865C103E4B.exe
2916	PO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2916 set thread context of 632 2916 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

568 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PO.exepowershell.exepowershell.exe

pid process

2916 PO.exe
2916 PO.exe
2916 PO.exe
2612 powershell.exe
2536 powershell.exe
2916 PO.exe

description	pid	process	target process
PID 2916 set thread context of 632	2916	PO.exe	PO.exe

pid	process
568	schtasks.exe

pid	process
2916	PO.exe
2916	PO.exe
2916	PO.exe
2612	powershell.exe
2536	powershell.exe
2916	PO.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

description	pid	process
Token: SeDebugPrivilege	2916	PO.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	632	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2364 DllHost.exe

pid	process
2364	DllHost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

7D2707C4A1D779E025917F865C103E4B.exePO.exe

description	pid	process	target process
PID 2556 wrote to memory of 2916	2556	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2556 wrote to memory of 2916	2556	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2556 wrote to memory of 2916	2556	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2556 wrote to memory of 2916	2556	7D2707C4A1D779E025917F865C103E4B.exe	PO.exe
PID 2916 wrote to memory of 2612	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2612	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2612	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2612	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2536	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2536	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2536	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 2536	2916	PO.exe	powershell.exe
PID 2916 wrote to memory of 568	2916	PO.exe	schtasks.exe
PID 2916 wrote to memory of 568	2916	PO.exe	schtasks.exe
PID 2916 wrote to memory of 568	2916	PO.exe	schtasks.exe
PID 2916 wrote to memory of 568	2916	PO.exe	schtasks.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe
PID 2916 wrote to memory of 632	2916	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\7D2707C4A1D779E025917F865C103E4B.exe
"C:\Users\Admin\AppData\Local\Temp\7D2707C4A1D779E025917F865C103E4B.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AdCwxzRPlmXEbv.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AdCwxzRPlmXEbv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp732.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp732.tmp
Filesize
1KB

MD5
519fc09020c13b12c0352e3b663835d2

SHA1
a24c63b613d3bac2c45386b4244d810162faef94

SHA256
0f899396dabc9309bf480e7c448c5afc29e802d261132d315880873152f331f3

SHA512
bdde13d799e5c80233cf98aaeeabf0ab45cb31514565a310dbebc928c1aff6e176907cd32b488632666b919783b693580f836979c95d09d70e4eda883ea1f4a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0b9e96ad035f6053206fb84f8f99ca24

SHA1
3e4e626d560aec61f3c772fea5c5b3c83bed9c38

SHA256
5ebb0ced8757d0e646c9db4e144da3f023a585059cbd7a561ddadd2c2e59d346

SHA512
d9c1d2409b7823e11ce47576f1888f7ad4f296bb34c72cda93632ae65139a96708828d6ab4ab72b1d1b620cbda0d881b85ddbaf6d1e50b913a3b98507d757c00

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
675KB

MD5
22c86949178066a53d70309553f8b44e

SHA1
eb4a99acdc4b638528902c8e8480bc1f58a457b5

SHA256
b9d43a80163b702f8c3d2aac0409bb2d945368e68b9c4cbe29e888ceff2fb953

SHA512
0364deec86a6658b6d5b9085fd84f4cfef57b59a45ecfa5625de6a0e8bb6c5387644af66a0374f053c23045a370717abf3c97a8376deed3ed8cb01a7206cbb72

Download Submit
memory/632-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-49-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/632-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2364-53-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/2364-5-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2556-4-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2916-26-0x00000000051B0000-0x0000000005210000-memory.dmp

Filesize
384KB

Download
memory/2916-25-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/2916-23-0x0000000000CF0000-0x0000000000D62000-memory.dmp

Filesize
456KB

Download
memory/2916-24-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2916-21-0x00000000012D0000-0x000000000137A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads