redline | 289bceeeff61db69d94891ce1436291f42c3548bcef78120ba770a21c81a9bf2

General

Target

7b62c5248337ebed283f82a912016f10N.exe
Size

524KB
MD5

7b62c5248337ebed283f82a912016f10
SHA1

4d4e2a283cb5c7a1620e84d55f07451c1b2d39bc
SHA256

289bceeeff61db69d94891ce1436291f42c3548bcef78120ba770a21c81a9bf2
SHA512

72721ee2d70cde744a565a10c3472222a6aee5c6e0573ef9f475cd5f019ede0a4fbb127f132e12e1c0e5ca104ee3e3414a1c1139579a4d94a243a7f8b8440931
SSDEEP

12288:FK0QpjndCRVwqbwQkt7rllWxJzxv5rsi2IZl:FKTjdCvw7HkC

Score

10^/10

redline sectoprat newlogs discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

Newlogs

C2

204.14.75.2:16383

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-27-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2740-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2740-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2740-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2740-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-27-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2740-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2740-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2740-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2740-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2964 powershell.exe
2336 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7b62c5248337ebed283f82a912016f10N.exe

description pid process target process

PID 292 set thread context of 2740 292 7b62c5248337ebed283f82a912016f10N.exe 7b62c5248337ebed283f82a912016f10N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2964	powershell.exe
2336	powershell.exe

description	pid	process	target process
PID 292 set thread context of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7b62c5248337ebed283f82a912016f10N.exepowershell.exepowershell.exeschtasks.exe7b62c5248337ebed283f82a912016f10N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b62c5248337ebed283f82a912016f10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b62c5248337ebed283f82a912016f10N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2840 schtasks.exe

pid	process
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7b62c5248337ebed283f82a912016f10N.exepowershell.exepowershell.exe

pid	process
292	7b62c5248337ebed283f82a912016f10N.exe
292	7b62c5248337ebed283f82a912016f10N.exe
292	7b62c5248337ebed283f82a912016f10N.exe
292	7b62c5248337ebed283f82a912016f10N.exe
292	7b62c5248337ebed283f82a912016f10N.exe
292	7b62c5248337ebed283f82a912016f10N.exe
292	7b62c5248337ebed283f82a912016f10N.exe
2964	powershell.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7b62c5248337ebed283f82a912016f10N.exepowershell.exepowershell.exe7b62c5248337ebed283f82a912016f10N.exe

description	pid	process
Token: SeDebugPrivilege	292	7b62c5248337ebed283f82a912016f10N.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2740	7b62c5248337ebed283f82a912016f10N.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

7b62c5248337ebed283f82a912016f10N.exe

description	pid	process	target process
PID 292 wrote to memory of 2964	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2964	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2964	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2964	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2336	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2336	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2336	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2336	292	7b62c5248337ebed283f82a912016f10N.exe	powershell.exe
PID 292 wrote to memory of 2840	292	7b62c5248337ebed283f82a912016f10N.exe	schtasks.exe
PID 292 wrote to memory of 2840	292	7b62c5248337ebed283f82a912016f10N.exe	schtasks.exe
PID 292 wrote to memory of 2840	292	7b62c5248337ebed283f82a912016f10N.exe	schtasks.exe
PID 292 wrote to memory of 2840	292	7b62c5248337ebed283f82a912016f10N.exe	schtasks.exe
PID 292 wrote to memory of 2904	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2904	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2904	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2904	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe
PID 292 wrote to memory of 2740	292	7b62c5248337ebed283f82a912016f10N.exe	7b62c5248337ebed283f82a912016f10N.exe

C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe
"C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QbeGoUg.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QbeGoUg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF67.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe
"C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe"
2⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe
"C:\Users\Admin\AppData\Local\Temp\7b62c5248337ebed283f82a912016f10N.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDF67.tmp
Filesize
1KB

MD5
e2c9f03ca98951eb042a690af9c81db9

SHA1
3d87125bb17553d43fe9e108eb7641b45d524d08

SHA256
346a4ea00c4cdc78b2e20188c4ee7ad22536b3f0432e77ab17d9962d1670a96f

SHA512
1809d5941bec3001aed81d7ff1d2a91e170f33ae8decbcafb98f5108f254c512f4ab0809b0a55c52d295f7d1f4978db4aed81f37085bfecb8d4ae16a764c6527

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
83603534d13e57c868ac15bd1347e6e3

SHA1
db8d723ec163344282682606afbc1d01631cbcb2

SHA256
8b273fcb2d816b33272127ec0af6d6a977bd3500f9109131adcafea3662e15b8

SHA512
e9b09e07c3e7cd40db1265b8a87d4f3fe4c7ef4c53d9d41918e638383eeadbf5f66c18528573796fee2a6f232e69c657a0441133e36a11a08abef1c5229f30b8

Download Submit
memory/292-31-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/292-1-0x00000000009D0000-0x0000000000A56000-memory.dmp

Filesize
536KB

Download
memory/292-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/292-3-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/292-4-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/292-5-0x0000000004220000-0x0000000004280000-memory.dmp

Filesize
384KB

Download
memory/292-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/2740-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads