redline | a03e5ea28a045edffc05c69ec5d06601425b60ec2523448bd46e14ff17643c95

General

Target

E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
Size

657KB
MD5

e87ad5f7041eff087b6bff15cf1dab3a
SHA1

9a22fb7c1769a517b4b72e4310ff7c9f399f0f32
SHA256

a03e5ea28a045edffc05c69ec5d06601425b60ec2523448bd46e14ff17643c95
SHA512

b6477f6e27aefd2851b5827ef202e7b918e5085afaa21ad9fdbde3d3aeae87cd4e1020ce207e1b276ed472c77f30063abde39f24e71c657bbfe9bf6191b5a815
SSDEEP

12288:J7PcxgeYL893+uJ6C+Qs8ffuc2BgFEM0XZJEmJ2rIO:JbcYgBqSfuc2Bgn0smJUN

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.147:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2584-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2584-19-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2584-12-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2584-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2584-19-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2584-12-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

description pid process target process

PID 2488 set thread context of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

description	pid	process	target process
PID 2488 set thread context of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

E87AD5F7041EFF087B6BFF15CF1DAB3A.exeE87AD5F7041EFF087B6BFF15CF1DAB3A.exe

pid	process
2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
2584	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
2584	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

E87AD5F7041EFF087B6BFF15CF1DAB3A.exeE87AD5F7041EFF087B6BFF15CF1DAB3A.exe

description pid process

Token: SeDebugPrivilege 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
Token: SeDebugPrivilege 2584 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

description	pid	process
Token: SeDebugPrivilege	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
Token: SeDebugPrivilege	2584	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

description	pid	process	target process
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
PID 2488 wrote to memory of 2584	2488	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe	E87AD5F7041EFF087B6BFF15CF1DAB3A.exe

C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
"C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
"C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D62.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DB6.tmp
Filesize
92KB

MD5
dd6944619a1cff7c63c0e49ed65368ca

SHA1
a055ce9efa2206cdc35b924d43a5d06f453ce777

SHA256
58ea6de2879649260c0a62b6e8e045e88c3311978e993f63a8dfcdb0dba9f05d

SHA512
856d454cd202fc39bec08f7ea7fb9c631e5531c1d5ffc269d3ea4ef2cdd568b176da0f8e00ffd8c80eaad461cecbce213fa4cd46b142a7760fd32815261fddd7

Download Submit
memory/2488-22-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-0-0x0000000073B6E000-0x0000000073B6F000-memory.dmp

Filesize
4KB

Download
memory/2488-4-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2488-5-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2488-6-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/2488-3-0x0000000000A10000-0x0000000000A82000-memory.dmp

Filesize
456KB

Download
memory/2488-1-0x0000000000E90000-0x0000000000F3A000-memory.dmp

Filesize
680KB

Download
memory/2488-2-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-23-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-24-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-97-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads