redline | 4d623323722623c396d129c980835c6c008c3fc10833e2e0220bfcd8969151aa

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007DECAA4162946F4AFAE58675EA24F2.exe
Size

3.0MB
MD5

007decaa4162946f4afae58675ea24f2
SHA1

a86eb4dffba6fa651ffdc016dc8cab9f6b583f46
SHA256

4d623323722623c396d129c980835c6c008c3fc10833e2e0220bfcd8969151aa
SHA512

1d60d4e882eabbcdcf76689b9c330b23edad748e578fa5db26f7b2f39dd4e6217f99577868d4a30c78d8f68ecedcaf36516736894f0463a69084d799bd0e2cc6
SSDEEP

49152:MeneANrcDamp/RMaBejg2CgEmweT0ibbFlx9SZUGZmCvZKHHkNKNNNpNNNmy:ze4rAa4/R7ejgISeThbFf9SZMqsc

Score

10^/10

redline sectoprat xworm second credential_access discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:8080

51.89.201.41:8080

Attributes

Install_directory
%ProgramData%
install_file
ApplicationFrameHost.exe

Extracted

Family

redline

Botnet

Second

51.89.201.41:29254

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\ProgramData\unbinded.exe	family_xworm
behavioral1/memory/2756-13-0x00000000011D0000-0x0000000001214000-memory.dmp	family_xworm
behavioral1/memory/2220-131-0x0000000001260000-0x00000000012A4000-memory.dmp	family_xworm
behavioral1/memory/1604-134-0x00000000003F0000-0x0000000000434000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_redline
behavioral1/memory/2740-22-0x0000000000120000-0x000000000013E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_sectoprat
behavioral1/memory/2740-22-0x0000000000120000-0x000000000013E000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2380 powershell.exe
2516 powershell.exe
2244 powershell.exe
2876 powershell.exe

pid	process
2380	powershell.exe
2516	powershell.exe
2244	powershell.exe
2876	powershell.exe

Drops startup file 2 IoCs

Processes:

unbinded.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk	unbinded.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk	unbinded.exe

Executes dropped EXE 5 IoCs

Processes:

unbinded.exebuild.exeEngine - Clean.exeApplicationFrameHost.exeApplicationFrameHost.exe

pid process

2756 unbinded.exe
2740 build.exe
2960 Engine - Clean.exe
2220 ApplicationFrameHost.exe
1604 ApplicationFrameHost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2756	unbinded.exe
2740	build.exe
2960	Engine - Clean.exe
2220	ApplicationFrameHost.exe
1604	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unbinded.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "C:\\ProgramData\\ApplicationFrameHost.exe"	unbinded.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

build.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1176 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

unbinded.exe

pid process

2756 unbinded.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeunbinded.exebuild.exe

pid process

2380 powershell.exe
2516 powershell.exe
2244 powershell.exe
2876 powershell.exe
2756 unbinded.exe
2740 build.exe
2740 build.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

pid	process
1176	schtasks.exe

pid	process
2756	unbinded.exe

pid	process
2380	powershell.exe
2516	powershell.exe
2244	powershell.exe
2876	powershell.exe
2756	unbinded.exe
2740	build.exe
2740	build.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

unbinded.exebuild.exepowershell.exepowershell.exepowershell.exepowershell.exeApplicationFrameHost.exeApplicationFrameHost.exe

description	pid	process
Token: SeDebugPrivilege	2756	unbinded.exe
Token: SeDebugPrivilege	2740	build.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2756	unbinded.exe
Token: SeDebugPrivilege	2220	ApplicationFrameHost.exe
Token: SeDebugPrivilege	1604	ApplicationFrameHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

unbinded.exe

pid process

2756 unbinded.exe

pid	process
2756	unbinded.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

007DECAA4162946F4AFAE58675EA24F2.exeunbinded.exetaskeng.exe

description	pid	process	target process
PID 2152 wrote to memory of 2756	2152	007DECAA4162946F4AFAE58675EA24F2.exe	unbinded.exe
PID 2152 wrote to memory of 2756	2152	007DECAA4162946F4AFAE58675EA24F2.exe	unbinded.exe
PID 2152 wrote to memory of 2756	2152	007DECAA4162946F4AFAE58675EA24F2.exe	unbinded.exe
PID 2152 wrote to memory of 2740	2152	007DECAA4162946F4AFAE58675EA24F2.exe	build.exe
PID 2152 wrote to memory of 2740	2152	007DECAA4162946F4AFAE58675EA24F2.exe	build.exe
PID 2152 wrote to memory of 2740	2152	007DECAA4162946F4AFAE58675EA24F2.exe	build.exe
PID 2152 wrote to memory of 2740	2152	007DECAA4162946F4AFAE58675EA24F2.exe	build.exe
PID 2152 wrote to memory of 2960	2152	007DECAA4162946F4AFAE58675EA24F2.exe	Engine - Clean.exe
PID 2152 wrote to memory of 2960	2152	007DECAA4162946F4AFAE58675EA24F2.exe	Engine - Clean.exe
PID 2152 wrote to memory of 2960	2152	007DECAA4162946F4AFAE58675EA24F2.exe	Engine - Clean.exe
PID 2756 wrote to memory of 2380	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2380	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2380	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2516	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2516	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2516	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2244	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2244	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2244	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2876	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2876	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 2876	2756	unbinded.exe	powershell.exe
PID 2756 wrote to memory of 1176	2756	unbinded.exe	schtasks.exe
PID 2756 wrote to memory of 1176	2756	unbinded.exe	schtasks.exe
PID 2756 wrote to memory of 1176	2756	unbinded.exe	schtasks.exe
PID 3004 wrote to memory of 2220	3004	taskeng.exe	ApplicationFrameHost.exe
PID 3004 wrote to memory of 2220	3004	taskeng.exe	ApplicationFrameHost.exe
PID 3004 wrote to memory of 2220	3004	taskeng.exe	ApplicationFrameHost.exe
PID 3004 wrote to memory of 1604	3004	taskeng.exe	ApplicationFrameHost.exe
PID 3004 wrote to memory of 1604	3004	taskeng.exe	ApplicationFrameHost.exe
PID 3004 wrote to memory of 1604	3004	taskeng.exe	ApplicationFrameHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\007DECAA4162946F4AFAE58675EA24F2.exe
"C:\Users\Admin\AppData\Local\Temp\007DECAA4162946F4AFAE58675EA24F2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\ProgramData\unbinded.exe
"C:\ProgramData\unbinded.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\unbinded.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'unbinded.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ApplicationFrameHost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\ProgramData\ApplicationFrameHost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\ProgramData\Engine - Clean.exe
"C:\ProgramData\Engine - Clean.exe"
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\taskeng.exe
taskeng.exe {620E8F95-6DF8-4866-AB14-01974FDDE44F} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\ProgramData\ApplicationFrameHost.exe
C:\ProgramData\ApplicationFrameHost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\ProgramData\ApplicationFrameHost.exe
C:\ProgramData\ApplicationFrameHost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Engine - Clean.exe

Filesize
1.7MB

MD5
a865bac6ef42d6c5b19ce21f0354a902

SHA1
06caff2aaa241849e46a2bab7680d565d61c6b84

SHA256
4102f51991d25c6e12e74d7029b3613010595aca6612d8a2919b3086b9152e61

SHA512
74f20cbac511c9647a7ced453eb110b78e8314cc0c774bb9609bbd6d1e293712478929bc5c027891dd2d1d9de452a305e27ed2f4ff93afb3612f703c98af2e3e

Download Submit
C:\ProgramData\MetroFramework.Fonts.dll

Filesize
656KB

MD5
612080028164b12939751dcccbb68d4a

SHA1
db066593c63d2eff41a5af1b49a3e098b60e0013

SHA256
e96030fddaf7e78401567ee82480ad75ee48d3556199a3f85c0ec669edac2ef4

SHA512
1879c960e27e32941c0c992b84803e7a1f8d243bfc88d17d3d32baca772290b9ea60a6ea90d53170be3bf7f0a58fe71ec901dc66aa560b4bf68b1da56c09fe18

Download Submit
C:\ProgramData\MetroFramework.dll

Filesize
149KB

MD5
44538b311e9ec2bcf0a6452702628d99

SHA1
da67301539903775708e9ec913654851e9e8eade

SHA256
baf326f52d39155d722465947f4cc67e6e90cfd0f89954eab959568e9bc342aa

SHA512
b65e3bc1c0f7b4c8f778cf52a36d628301d60aab53fdaf0355163e4865bc3d3adbf8870bb6cefc604708fdf2c0e72258eaf2fe301d524af2f77bc08014c9610a

Download Submit
C:\ProgramData\build.exe

Filesize
95KB

MD5
ef6721cf0bd7437d8bca647ead8f0120

SHA1
7a2bd21a58d9a468380a47dfd81505b56cce613b

SHA256
0ed605c6122fa4b3d84e89dd3dde7e3fca0aef0687935c1201f55d31a594d56b

SHA512
70f28c80f7beebe6df040b07dcc782245d71a93102041c971c1cdfaeed2e8556fe3f641201486b7bbfbb30f6c511a678cf499328911a8c8d66ef2be16affb076

Download Submit
C:\ProgramData\unbinded.exe

Filesize
244KB

MD5
58471a0ddd6dedc736742d6a3df2a316

SHA1
14af48beecc60cb181d72ba59ec2d6a075a9b9a1

SHA256
84c9a4dd34de4182ac6bb2296302c00b54d9f948ee9b2d70a882c16b308dd881

SHA512
2bc27010a11e97c96ea4b386e0691741c0a7daf22715abf2afd35b4c8d5ca419eb3cef373af175feaa3d6fdc89353ec48443aaff0fa59c2383e5d6340bccd850

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DBF.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DD4.tmp

Filesize
92KB

MD5
cf00cf5b059b43e29cbde1a36c6209f3

SHA1
9df2f8ef60997e3934fef0d88f9770fb9d19769f

SHA256
9f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a

SHA512
16e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
676a2657bfe24b57bea510e070dc8885

SHA1
aa4f3b5585bd0d194fb274f2dda8a3b5f0e601c7

SHA256
6084ba3ca5a2919d5a83ea5ea632025ee8e36b28f0d04c2d129f97a3945ccb62

SHA512
c0913de6d383f38da17847f930ec990c1f96570356895caecbe8f283af79542e6bda6d70ca74d1d3c9fd8344210f62e71cf6f991b4e7f062dc97daeccfea85e2

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1604-134-0x00000000003F0000-0x0000000000434000-memory.dmp

Filesize
272KB

Download
memory/2152-1-0x0000000000F00000-0x0000000001200000-memory.dmp

Filesize
3.0MB

Download
memory/2152-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

Filesize
4KB

Download
memory/2220-131-0x0000000001260000-0x00000000012A4000-memory.dmp

Filesize
272KB

Download
memory/2244-46-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2244-47-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2380-33-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2380-32-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2516-39-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2516-40-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2740-22-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2756-127-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-13-0x00000000011D0000-0x0000000001214000-memory.dmp

Filesize
272KB

Download
memory/2756-25-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-21-0x00000000008F0000-0x0000000000AA2000-memory.dmp

Filesize
1.7MB

Download
memory/2960-27-0x000000001BA20000-0x000000001BACA000-memory.dmp

Filesize
680KB

Download
memory/2960-24-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download