redline | 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5

General

Target

13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
Size

776KB
MD5

7d2707c4a1d779e025917f865c103e4b
SHA1

62c0d32e2662d32951b4aa172a2be8be7f3b0fbb
SHA256

13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5
SHA512

c9ae482eba6b3eef6d1a96838862fa79a96b99297effa99255647f45e73045e9a2bbeb287a13486ac49d647947a0a7fad0f43aa59fe65174a328b227e08dbb6f
SSDEEP

24576:LYYSZ54auRRAfJhXwlsnGSKxyBp9eGqqxO5X:2GyjUP9X

Score

10^/10

redline sectoprat cheat execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.153:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1732-49-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1732-44-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1732-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1732-52-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1732-49-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1732-44-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1732-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1732-52-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2192 powershell.exe
2372 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

PO.exePO.exe

pid process

2812 PO.exe
1732 PO.exe

pid	process
2192	powershell.exe
2372	powershell.exe

pid	process
2812	PO.exe
1732	PO.exe

Loads dropped DLL 5 IoCs

Processes:

13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exePO.exe

pid	process
2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
2812	PO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2812 set thread context of 1732 2812 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2412 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PO.exepowershell.exepowershell.exe

pid process

2812 PO.exe
2812 PO.exe
2812 PO.exe
2812 PO.exe
2372 powershell.exe
2192 powershell.exe

description	pid	process	target process
PID 2812 set thread context of 1732	2812	PO.exe	PO.exe

pid	process
2412	schtasks.exe

pid	process
2812	PO.exe
2812	PO.exe
2812	PO.exe
2812	PO.exe
2372	powershell.exe
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

description	pid	process
Token: SeDebugPrivilege	2812	PO.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1732	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2684 DllHost.exe

pid	process
2684	DllHost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exePO.exe

description	pid	process	target process
PID 2800 wrote to memory of 2812	2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe	PO.exe
PID 2800 wrote to memory of 2812	2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe	PO.exe
PID 2800 wrote to memory of 2812	2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe	PO.exe
PID 2800 wrote to memory of 2812	2800	13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe	PO.exe
PID 2812 wrote to memory of 2192	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2192	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2192	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2192	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2372	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2372	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2372	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2372	2812	PO.exe	powershell.exe
PID 2812 wrote to memory of 2412	2812	PO.exe	schtasks.exe
PID 2812 wrote to memory of 2412	2812	PO.exe	schtasks.exe
PID 2812 wrote to memory of 2412	2812	PO.exe	schtasks.exe
PID 2812 wrote to memory of 2412	2812	PO.exe	schtasks.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe
PID 2812 wrote to memory of 1732	2812	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
"C:\Users\Admin\AppData\Local\Temp\13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AdCwxzRPlmXEbv.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AdCwxzRPlmXEbv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp
Filesize
1KB

MD5
abf5f4e9a31411bbd95e2a3933145f77

SHA1
78accd11dd4fe969df861f512b9d30e51c01ef1a

SHA256
f22386dc8644f0e213de1a74676ee3379f868f3b091cd77e0d96071a40c5ef6b

SHA512
4964ff4251ba79ca05419b2d8d45f09d0fb10aef361ffcd77001ca92d0638e0a9f4354ca85e3fcb8c9c04c8a6e10555f8f27c156c12834a190d0173cff801af2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d23037b0eff19060ac445852dd082445

SHA1
a41c1f658cd6ce05d56a208b4c46412abce40e74

SHA256
4dc2b43cad929d8f754c61673fda31bd6824ebc0080cdaa505fb987c24e09653

SHA512
4293060b0767430f33a2826b88948e8890ff7f84238595be648f16ed84d16fb20b29d4e0af976e4744df16fe68a7e27df46b5327482e8c31da81b8cbe22339a8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
675KB

MD5
22c86949178066a53d70309553f8b44e

SHA1
eb4a99acdc4b638528902c8e8480bc1f58a457b5

SHA256
b9d43a80163b702f8c3d2aac0409bb2d945368e68b9c4cbe29e888ceff2fb953

SHA512
0364deec86a6658b6d5b9085fd84f4cfef57b59a45ecfa5625de6a0e8bb6c5387644af66a0374f053c23045a370717abf3c97a8376deed3ed8cb01a7206cbb72

Download Submit
memory/1732-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1732-49-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2684-5-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/2684-6-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2684-53-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2800-4-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2812-26-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2812-25-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2812-24-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2812-23-0x0000000004890000-0x0000000004902000-memory.dmp

Filesize
456KB

Download
memory/2812-21-0x0000000000960000-0x0000000000A0A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads