redline | 05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3

General

Target

05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
Size

282KB
MD5

4ce2c0836c46c61b588972b56a23d5e2
SHA1

939a9f983870df1913acce63ca408bba9789588f
SHA256

05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3
SHA512

7b32f30b61ca8dcd9ae897d4d9e0480d8e0e2e5ae43f5f56f393d6a0dce7fa79e501c3d3609fcd288624c817401aa7f53c5f2fcdd7dda78d32c5034519d7256e
SSDEEP

6144:+sxanyfX5k7JlJDlABKUtfU/WQcb5sDqaxw3fWHdJytaaDlNiJ:f0nyfXuIBDtfu3qaxzHdJytlM

Score

10^/10

redline sectoprat xworm winsc discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

winsc

C2

pst-child.gl.at.ply.gg:9336

Extracted

Family

xworm

Version

5.0

C2

45.88.186.18:7000

Mutex

BjImkAWMcrtpfpkF

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\YsrQekGS.exe	family_xworm
behavioral1/memory/2860-36-0x0000000001190000-0x00000000011A0000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wjoqZlIS.exe	family_redline
behavioral1/memory/2720-37-0x0000000000F60000-0x0000000000F7E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wjoqZlIS.exe	family_sectoprat
behavioral1/memory/2720-37-0x0000000000F60000-0x0000000000F7E000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1944 powershell.exe
1932 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

rKPaQokQ.exewjoqZlIS.exeYsrQekGS.exe

pid process

1936 rKPaQokQ.exe
2720 wjoqZlIS.exe
2860 YsrQekGS.exe

pid	process
1944	powershell.exe
1932	powershell.exe

pid	process
1936	rKPaQokQ.exe
2720	wjoqZlIS.exe
2860	YsrQekGS.exe

Loads dropped DLL 8 IoCs

Processes:

05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe

pid	process
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

YsrQekGS.exe

pid process

2860 YsrQekGS.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exeYsrQekGS.exewjoqZlIS.exe

pid process

1944 powershell.exe
1932 powershell.exe
2860 YsrQekGS.exe
2720 wjoqZlIS.exe
2720 wjoqZlIS.exe

pid	process
2860	YsrQekGS.exe

pid	process
1944	powershell.exe
1932	powershell.exe
2860	YsrQekGS.exe
2720	wjoqZlIS.exe
2720	wjoqZlIS.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wjoqZlIS.exeYsrQekGS.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2720	wjoqZlIS.exe
Token: SeDebugPrivilege	2860	YsrQekGS.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2860	YsrQekGS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

YsrQekGS.exe

pid process

2860 YsrQekGS.exe

pid	process
2860	YsrQekGS.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exeYsrQekGS.exe

description	pid	process	target process
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2720	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	wjoqZlIS.exe
PID 1128 wrote to memory of 2860	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	YsrQekGS.exe
PID 1128 wrote to memory of 2860	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	YsrQekGS.exe
PID 1128 wrote to memory of 2860	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	YsrQekGS.exe
PID 1128 wrote to memory of 2860	1128	05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe	YsrQekGS.exe
PID 2860 wrote to memory of 1944	2860	YsrQekGS.exe	powershell.exe
PID 2860 wrote to memory of 1944	2860	YsrQekGS.exe	powershell.exe
PID 2860 wrote to memory of 1944	2860	YsrQekGS.exe	powershell.exe
PID 2860 wrote to memory of 1932	2860	YsrQekGS.exe	powershell.exe
PID 2860 wrote to memory of 1932	2860	YsrQekGS.exe	powershell.exe
PID 2860 wrote to memory of 1932	2860	YsrQekGS.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe
"C:\Users\Admin\AppData\Local\Temp\05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\rKPaQokQ.exe
"C:\Users\Admin\AppData\Local\Temp\rKPaQokQ.exe"
2⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\wjoqZlIS.exe
"C:\Users\Admin\AppData\Local\Temp\wjoqZlIS.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\AppData\Local\Temp\YsrQekGS.exe
"C:\Users\Admin\AppData\Local\Temp\YsrQekGS.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\YsrQekGS.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rKPaQokQ.exe

Filesize
27KB

MD5
dead69d07bc33b762abd466fb6f53e11

SHA1
f5ed372fd8ec7c455ff66bce73f16ca51cbc0302

SHA256
3091e2abfb55d05d6284b6c4b058b62c8c28afc1d883b699e9a2b5482ec6fd51

SHA512
f33a402e96474fc10f870293058b7252517456b4053d85885ebf21d0f9166f9a8a86457327a3e307624864b30ca9888ae0399a90c6248c50b781b28d9981c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0F6.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF10B.tmp

Filesize
92KB

MD5
a58d87b023e155c10b4e15fdfc6fcb06

SHA1
0ee449b782aeac54c0406adde543f19ecd9dfd38

SHA256
331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

SHA512
1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4708653f352939f05ad4fcccb48a6f17

SHA1
8d9017931a2a0f9ab8d6cf3e689b5cb49bb4d65f

SHA256
1221f9c3ed443ceaa33fb0e3f48caa3e574548ad14c03ccb2b46b3f66922b417

SHA512
dcf970940bad61df57d37f514f132bf728683aeb70fcc0db76a568c08ffe35e66bd0b49c763fd9731f7b05f477a4a8bad8699ce439acee6391978ef35a4345ca

Download Submit
\Users\Admin\AppData\Local\Temp\YsrQekGS.exe

Filesize
41KB

MD5
6ea393666ed89f758b30ea5037f5c22a

SHA1
eceeae7bdec94ad08b8e8f9abf057474c602228b

SHA256
af8318698c0ba525d71f5075be304b4a096dd87a2f058854594c50c33f7cb387

SHA512
828d857ed80010e1dde132098ced55aab759fa0f4e99921aee8de75a946cbf4ecb41f20f0d16837e58c562ef7eb538a86729b8636e06e322c8c154029decdd6e

Download Submit
\Users\Admin\AppData\Local\Temp\wjoqZlIS.exe

Filesize
95KB

MD5
eab323fa6c66098be1068fef0a03bff2

SHA1
ae2a4b7d9fe9db57afcda3f7aa599d13eeea4551

SHA256
b978a85d1ef238362afafc770a8da33c6149f54f8767b0f5753f069eb4e0dfff

SHA512
97bb7d82fac8d1885806323bb113ebc41edf90110d5d447bdad6fe3ef89cbd6226ecee8bf3419bf00fa2748008f887c17c783faf1785fbe3c817d32f7d502aaf

Download Submit
memory/1932-49-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1932-50-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1944-42-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1944-43-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2720-37-0x0000000000F60000-0x0000000000F7E000-memory.dmp

Filesize
120KB

Download
memory/2860-36-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads