redline | ced3557310b98b8a1ede8c1c24c4997a2eb2e05e561dd0b6ca36627f0d987d14

General

Target

Paymentslip.exe
Size

504KB
MD5

c4b108f45b87751371fb6e78597772ae
SHA1

e60ae2b84d36714099a929b5af304e9a40857ba6
SHA256

ced3557310b98b8a1ede8c1c24c4997a2eb2e05e561dd0b6ca36627f0d987d14
SHA512

523ccc014c320c2371ed7ed75d67befa83b68b9f22f5e1b2a10c6343a4bf9ec711aa06cddb3631ef373980d3b6fb507bb514e71274e0f66d28e873624df66fbd
SSDEEP

12288:9C/ccUT6hn8ZISOD4CsfmADREaj3qLCaSnAmCwocAMee/c:eccEan8+vD4B76aa6AN4AMp/c

Score

10^/10

redline sectoprat cheat credential_access discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

billred229102.duckdns.org:26546

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1172-27-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1172-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1172-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1172-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1172-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1172-27-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1172-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1172-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1172-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1172-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2756 powershell.exe
2648 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Paymentslip.exe

description pid process target process

PID 2808 set thread context of 1172 2808 Paymentslip.exe Paymentslip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2756	powershell.exe
2648	powershell.exe

description	pid	process	target process
PID 2808 set thread context of 1172	2808	Paymentslip.exe	Paymentslip.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeschtasks.exePaymentslip.exePaymentslip.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paymentslip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paymentslip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Paymentslip.exepowershell.exepowershell.exePaymentslip.exe

pid process

2808 Paymentslip.exe
2808 Paymentslip.exe
2756 powershell.exe
2648 powershell.exe
1172 Paymentslip.exe
1172 Paymentslip.exe

pid	process
2596	schtasks.exe

pid	process
2808	Paymentslip.exe
2808	Paymentslip.exe
2756	powershell.exe
2648	powershell.exe
1172	Paymentslip.exe
1172	Paymentslip.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Paymentslip.exepowershell.exepowershell.exePaymentslip.exe

description	pid	process
Token: SeDebugPrivilege	2808	Paymentslip.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1172	Paymentslip.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Paymentslip.exe

description	pid	process	target process
PID 2808 wrote to memory of 2756	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2756	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2756	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2756	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2648	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2648	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2648	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2648	2808	Paymentslip.exe	powershell.exe
PID 2808 wrote to memory of 2596	2808	Paymentslip.exe	schtasks.exe
PID 2808 wrote to memory of 2596	2808	Paymentslip.exe	schtasks.exe
PID 2808 wrote to memory of 2596	2808	Paymentslip.exe	schtasks.exe
PID 2808 wrote to memory of 2596	2808	Paymentslip.exe	schtasks.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe
PID 2808 wrote to memory of 1172	2808	Paymentslip.exe	Paymentslip.exe

C:\Users\Admin\AppData\Local\Temp\Paymentslip.exe
"C:\Users\Admin\AppData\Local\Temp\Paymentslip.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Paymentslip.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mueIOWjsOyku.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mueIOWjsOyku" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B84.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Users\Admin\AppData\Local\Temp\Paymentslip.exe
"C:\Users\Admin\AppData\Local\Temp\Paymentslip.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9B84.tmp

Filesize
1KB

MD5
4a3dbc7957942fd71893a306a0b9b54e

SHA1
8350423266f3e4d07341fc35b5923c2a71a91184

SHA256
4d5a6598c31aed9096aba37af3dc9b5e7e7a98c562c234d9550da8fd8773d834

SHA512
aa11dfd888cb84087ecd907fde4575a8a383cf9de4c189efa714e6d56fd7d0c114fd71e7fa66d43594b3e2e73daf896739de6cbd4caaa92f1761eec3d603b558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB86F.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB884.tmp

Filesize
92KB

MD5
cf00cf5b059b43e29cbde1a36c6209f3

SHA1
9df2f8ef60997e3934fef0d88f9770fb9d19769f

SHA256
9f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a

SHA512
16e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
51f1238206c74cd851b4b5b7c9372c3a

SHA1
923e05323ed6862c3213df311329d0a861d93ee2

SHA256
e4848623017e98f1d7bc0ddfa161c66f82669eadeb75230532dc865cca4c1e3a

SHA512
05c2e086d368f53d3641d7a7cb1efb4b16b01f6855f3f2e33d9839b366ec7eeb6a6686be5292939ce1cf4393c136513999ab7f85a731577f0a12fddbb46c7e71

Download Submit
memory/1172-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1172-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1172-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1172-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1172-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1172-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1172-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1172-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2808-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2808-30-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-5-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/2808-3-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2808-4-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/2808-2-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-1-0x0000000000B10000-0x0000000000B8E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads