redline | 1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c

General

Target

1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe
Size

1.7MB
MD5

759a72c6c8a741df207b79f1736e2b3c
SHA1

5e587db482de9557530203b0b6f0eaf14805cab1
SHA256

1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c
SHA512

bdc6e539da23c3bb37ef613a975215b26c3c6e90bea008d4b2c39eaccae0a7929702b27252ca408a0aa1f858682c04745edb789e22afc07a06349cb614a68152
SSDEEP

12288:9Yi9sYhmoeoO7gSQu6elbNmD5vjD3FCPePWbU:9YmTcqSQuTSD5nFCWIU

Score

10^/10

redline sectoprat lovato infostealer rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

lovato

C2

57.128.132.216:55123

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2756-14-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2756-14-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-18-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe

description	pid	process	target process
PID 3024 set thread context of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvcs.exe

pid process

2756 regsvcs.exe
2756 regsvcs.exe

pid	process
2756	regsvcs.exe
2756	regsvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exeregsvcs.exe

description	pid	process
Token: SeDebugPrivilege	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe
Token: SeDebugPrivilege	2756	regsvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe

description	pid	process	target process
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2756	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	regsvcs.exe
PID 3024 wrote to memory of 2564	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	WerFault.exe
PID 3024 wrote to memory of 2564	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	WerFault.exe
PID 3024 wrote to memory of 2564	3024	1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe
"C:\Users\Admin\AppData\Local\Temp\1308d7d9f135939b43490ded8b2853aa3019dd1488bf101319ffbad13735189c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3024 -s 648
2⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6FC5.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6FCB.tmp

Filesize
92KB

MD5
2c87b2d541eecd3b4a69f502e63a5783

SHA1
c3d1777df678cf4ef89ec8330f4d64f07fb26f9e

SHA256
eae2daadf140785ff98f48909f57ec24b3138fc0744018ec84a4ff8932c3d638

SHA512
502bd68d3ead4d794969b1db7dde114e0d3ded7fc52d81ab4e50c9d59ba74a0279426b54502301e2589929802b91ff8aa32d7e3d02a79d98209e540b40f7304c

Download Submit
memory/2756-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-90-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-20-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-19-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/2756-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3024-3-0x000000001B430000-0x000000001B44A000-memory.dmp

Filesize
104KB

Download
memory/3024-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/3024-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-1-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/3024-4-0x000000001A590000-0x000000001A600000-memory.dmp

Filesize
448KB

Download
memory/3024-91-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/3024-92-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads