redline | a86d97fe008bfeb8568930bfa03e0057f77b0c8a46048ff011af244bfcefee59

Resubmissions

29-07-2024 20:42

240729-zhay8atfmb 10

26-07-2024 11:22

240726-ng188sycjb 10

25-07-2024 05:05

240725-fqw2watble 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-SW M-0013091-DHABI HARDWARE.exe
Size

24KB
MD5

9f6938e89824ccce04a9272087dec776
SHA1

7f19bee228698f4b0bb90b40c6ca2bcadc326a66
SHA256

b500874cd5939223c2b7cb52134bef3a3bf6ab1c1d112bf27c6b5e5b15f8177f
SHA512

e0052a1bcf5d5ab910da6541c51338e1215a265e8521260bf08ab00ac0320653dafab565ef616d7f1192fb55d4b0feb1666b1a73fcc7b08ae0ac0e625f4b67e1
SSDEEP

384:eM4cghl1oqCrKFf4H5A2eFP27xWkVbgWUlIx4cNWcG0FP27NBY3Yuv+ivM:WSqbFQH5iKxnVbgvqxNNZK/Y/+

Score

10^/10

redline sectoprat lovato credential_access discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lovato

57.128.132.216:55123

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/456-0-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/456-0-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 5 IoCs

Processes:

RFQ-SW M-0013091-DHABI HARDWARE.exe

description	pid	process	target process
PID 3604 set thread context of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 set thread context of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 set thread context of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 set thread context of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 set thread context of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AddInProcess32.exeAddInProcess32.exeCasPol.exeregasm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

CasPol.exejsc.exeAddInProcess32.exeAddInProcess32.exeregasm.exe

pid	process
4252	CasPol.exe
4252	CasPol.exe
4528	jsc.exe
4528	jsc.exe
4252	CasPol.exe
4528	jsc.exe
456	AddInProcess32.exe
456	AddInProcess32.exe
1552	AddInProcess32.exe
1552	AddInProcess32.exe
100	regasm.exe
100	regasm.exe
456	AddInProcess32.exe
1552	AddInProcess32.exe
100	regasm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AddInProcess32.exejsc.exeCasPol.exeregasm.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	456	AddInProcess32.exe
Token: SeDebugPrivilege	4528	jsc.exe
Token: SeDebugPrivilege	4252	CasPol.exe
Token: SeDebugPrivilege	100	regasm.exe
Token: SeDebugPrivilege	1552	AddInProcess32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

RFQ-SW M-0013091-DHABI HARDWARE.exe

description	pid	process	target process
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 456	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 100	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	regasm.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 1552	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	AddInProcess32.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4252	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	CasPol.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe
PID 3604 wrote to memory of 4528	3604	RFQ-SW M-0013091-DHABI HARDWARE.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-SW M-0013091-DHABI HARDWARE.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-SW M-0013091-DHABI HARDWARE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
2KB

MD5
a2d30af46f30554c20d70cafb78f20c2

SHA1
57b2c83933a1f07fefe5fa10df275aa95fd9c924

SHA256
86f5eef030a1905856e1bd704812bcedd67159a3d88452e7bcfcd033fccc0081

SHA512
53730e64c02b9836e1b1342c27d8019767f45b269f93955bb278779efe815aef5ebd35ad90daddd9665b56b8ed5c89f4e18991aec8ba7a710e3a49347c3c5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93A5.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93CB.tmp

Filesize
114KB

MD5
d681f32f41435252b44d84a0a92ac5af

SHA1
72656a29ecd5bb6bc779503781de9e8da7a91c18

SHA256
208b27a9ee035d4cdd35e317c3947dd3ae35e9d2b3c1010666d9a78187767cb2

SHA512
00932ddb9a1818e2f1773998e80c9582e41638f080ed047c441f899850c613aa38b73301b7dbd9225fd6536b03c6b65ea61455b32755ac45d38f22f300e310eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93F6.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp940C.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9412.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp943D.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99DC.tmp

Filesize
162KB

MD5
4b02664fe5283a77641dddf9017bd3b1

SHA1
f8fc84b43ea1fddd0439f8892124fe438b06e4b5

SHA256
3525daab1c3ef787873e153ada5ba6b0abb216a6a95347c537520892d25771f1

SHA512
852f0ef6945d44cf7d2df446b01401fdce8a1aa187479cf8e3de738f655b25c7ad9ab7028e71917a6053711d605935ba0d3f8da201e0072eb3f67c8c99b422d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99DD.tmp

Filesize
20KB

MD5
4fa0d02a88e896c6e3c66c646701e21a

SHA1
a7470206b2fda9441068b838760eff9389936c1d

SHA256
8cb451a1d6072d002040b0bb2b38ac016b463ba4fc41d9c4400142ba43b2f627

SHA512
61273cf4714df1c59ff7845ce34cf650193212f6281b0d0b2ce9391be8fb92f8d3e6016a89844a6e94cde99261a9891401b4e684ccf1626f572e30d86c6e130a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99DE.tmp

Filesize
678KB

MD5
a4755f638aa69e7333bd3218da76c7a4

SHA1
2eaa2cf1aecf980c53bb3eacb07e76321bd48991

SHA256
28b7ee82822068417df7023de0e0beb910cb2c3c4e3748b9d3947b9073525d9c

SHA512
86312d328105d5f9dd4bc63a80d44e11a51de1f2ee45d7551d0cc0f6d9d2d7d61fe0f601bd44d9d45e1b8e86137c04be9fef12753c7f15a882b76543585f7301

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99DF.tmp

Filesize
15KB

MD5
5c185af6d9b0a2863d3a919bef80f5e6

SHA1
79145f38b1976e004ba09c4fcf90796f326adf4f

SHA256
211024fb530ab3cee7d03e8daa19718ed2886874f4c8e378ed91cb8f0194b9f5

SHA512
69294d345d932f19ac9ee03ce9bed9a82b0d6477b95033f0538be065b83328aac12ef89aecd5f6bb0b52ac7b42a73b836ba2a459bc83fea32e1f79709916ab08

Download Submit
memory/100-11-0x0000000004DA0000-0x0000000004DEC000-memory.dmp

Filesize
304KB

Download
memory/456-6-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/456-858-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/456-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/456-7-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/456-8-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/456-10-0x0000000004F70000-0x0000000004FAC000-memory.dmp

Filesize
240KB

Download
memory/456-14-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/456-12-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/1552-855-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/1552-5-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/1552-13-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4252-17-0x0000000006CE0000-0x0000000006D46000-memory.dmp

Filesize
408KB

Download
memory/4252-15-0x0000000006B10000-0x0000000006CD2000-memory.dmp

Filesize
1.8MB

Download
memory/4252-21-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/4252-9-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4252-20-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/4252-19-0x0000000006FF0000-0x0000000007082000-memory.dmp

Filesize
584KB

Download
memory/4252-16-0x0000000007210000-0x000000000773C000-memory.dmp

Filesize
5.2MB

Download
memory/4252-853-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4252-18-0x0000000006ED0000-0x0000000006F46000-memory.dmp

Filesize
472KB

Download