redline | 1d347d1d653653547112d9118d5346963bf78887f9f500c2598fd2f5d19700fa

General

Target

6923ea64d4bf71ccdaff7dfad093f120N.exe
Size

647KB
MD5

6923ea64d4bf71ccdaff7dfad093f120
SHA1

2953565b3c190b34da44b6ecfacb2be9529e5317
SHA256

1d347d1d653653547112d9118d5346963bf78887f9f500c2598fd2f5d19700fa
SHA512

982c9efe19014e246b75b43230ca6cd5e42c11d1b4757f0f2a114e9fea5fd8d9ef5e9bc1ab49958212ddc48fde64b830ef19911bcbbf892dbe76a657dc204944
SSDEEP

12288:ISjofC1P1TAioAiXydFYdme2KE//r6J9VkgTJ73vmNlabHYk:Iq1VAiobydrr6ldj0o7

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.91:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/392-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/392-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/392-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/392-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/392-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/392-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/392-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/392-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/392-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/392-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2820 powershell.exe
2636 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

6923ea64d4bf71ccdaff7dfad093f120N.exe

description pid process target process

PID 2552 set thread context of 392 2552 6923ea64d4bf71ccdaff7dfad093f120N.exe 6923ea64d4bf71ccdaff7dfad093f120N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2820	powershell.exe
2636	powershell.exe

description	pid	process	target process
PID 2552 set thread context of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exe6923ea64d4bf71ccdaff7dfad093f120N.exe6923ea64d4bf71ccdaff7dfad093f120N.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6923ea64d4bf71ccdaff7dfad093f120N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6923ea64d4bf71ccdaff7dfad093f120N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2880 schtasks.exe

pid	process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

6923ea64d4bf71ccdaff7dfad093f120N.exepowershell.exepowershell.exe

pid	process
2552	6923ea64d4bf71ccdaff7dfad093f120N.exe
2552	6923ea64d4bf71ccdaff7dfad093f120N.exe
2552	6923ea64d4bf71ccdaff7dfad093f120N.exe
2820	powershell.exe
2552	6923ea64d4bf71ccdaff7dfad093f120N.exe
2552	6923ea64d4bf71ccdaff7dfad093f120N.exe
2636	powershell.exe
2552	6923ea64d4bf71ccdaff7dfad093f120N.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6923ea64d4bf71ccdaff7dfad093f120N.exepowershell.exepowershell.exe6923ea64d4bf71ccdaff7dfad093f120N.exe

description	pid	process
Token: SeDebugPrivilege	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	392	6923ea64d4bf71ccdaff7dfad093f120N.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6923ea64d4bf71ccdaff7dfad093f120N.exe

description	pid	process	target process
PID 2552 wrote to memory of 2820	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2820	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2820	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2820	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2636	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2636	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2636	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2636	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	powershell.exe
PID 2552 wrote to memory of 2880	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	schtasks.exe
PID 2552 wrote to memory of 2880	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	schtasks.exe
PID 2552 wrote to memory of 2880	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	schtasks.exe
PID 2552 wrote to memory of 2880	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	schtasks.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe
PID 2552 wrote to memory of 392	2552	6923ea64d4bf71ccdaff7dfad093f120N.exe	6923ea64d4bf71ccdaff7dfad093f120N.exe

C:\Users\Admin\AppData\Local\Temp\6923ea64d4bf71ccdaff7dfad093f120N.exe
"C:\Users\Admin\AppData\Local\Temp\6923ea64d4bf71ccdaff7dfad093f120N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6923ea64d4bf71ccdaff7dfad093f120N.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTjbUmXegyb.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTjbUmXegyb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Users\Admin\AppData\Local\Temp\6923ea64d4bf71ccdaff7dfad093f120N.exe
"C:\Users\Admin\AppData\Local\Temp\6923ea64d4bf71ccdaff7dfad093f120N.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp

Filesize
1KB

MD5
f4d5c44fad703c35efbfc605a3d3067a

SHA1
41b28b0b5235f32842b678f2172ac41b45fa5e51

SHA256
787dbf5c89ede359d72926d8a41ff3c86b5430887aec9b8aa552009b32664f98

SHA512
d00cc3d618e249ae68eefbc00c0e701a88bd2d6db01d477e53ee4b8226ba72cc5454041202c709623b5bccf772e1c8caeddd232448a6f14730e44e7be920583d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e6e0c664d6ca5d6337c90d1bb9a0523e

SHA1
7a9fb70794b6b46f5ea28e661a3f497d5250199a

SHA256
d97442bbf2bd191104b3eb21566dbb64412a45d042da12c5ba867b6be140ad24

SHA512
1fda9ea02b1eecae3481aef930b0c5aa0e28ad4aaf0da850c36550f930d10019971398ea26dd9b5ff748d52e926b20e6b6642ea402c92dffc9d2874be0a3857e

Download Submit
memory/392-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/392-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-6-0x00000000044E0000-0x0000000004540000-memory.dmp

Filesize
384KB

Download
memory/2552-1-0x0000000000990000-0x0000000000A36000-memory.dmp

Filesize
664KB

Download
memory/2552-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2552-29-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-5-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2552-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads