redline | 5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53

General

Target

5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe
Size

1.9MB
MD5

2d0c898afee38cddf990ab602c32ed57
SHA1

7c5ed28545009035b55b18ee5844f34f5c3d30e1
SHA256

5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53
SHA512

9334c818d19090909e85e0390f5869e4dba32e4e4a5a3885d5fc2110fb1252423bc2a632391489e3ccc45c9932ddcd956e23c13e5bd0f99b3ff842d67decbb5e
SSDEEP

49152:F2u/BMdg532rpsjCMqigjns2+a95PlpiH9MzMrcgt4hvN3iBO:arpEZIIBO

Score

10^/10

redline sectoprat lovato credential_access discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lovato

C2

57.128.132.216:55123

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2108-2-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2108-4-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2108-2-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2108-4-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe

description	pid	process	target process
PID 328 set thread context of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

installutil.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installutil.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

installutil.exe

pid process

2108 installutil.exe
2108 installutil.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installutil.exe

description pid process

Token: SeDebugPrivilege 2108 installutil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe

pid	process
2108	installutil.exe
2108	installutil.exe

description	pid	process
Token: SeDebugPrivilege	2108	installutil.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe

description	pid	process	target process
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe
PID 328 wrote to memory of 2108	328	5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe	installutil.exe

C:\Users\Admin\AppData\Local\Temp\5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe
"C:\Users\Admin\AppData\Local\Temp\5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDB53.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB59.tmp

Filesize
92KB

MD5
df8f707fde4a4e68ffee7c48f6a9b7db

SHA1
6852a7a4c463c3853643439794ed130a41d0c90b

SHA256
dc4e84de932df42fc1d78aa17751a6e21e723ae60796cd400e0b01c26d1b0449

SHA512
9c99fb4dc2c7727a75a632e28d3d18b6b4736f4484720788f9410a4567bf4aa4ed74fc6448a6a7d7cdff7bb4787e906a0f1c4e05c41ba02473e900f6aee9b7ba

Download Submit
memory/2108-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-5-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2108-6-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-91-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads