redline | 083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292

General

Target

MalwareBazaar.exe
Size

210KB
MD5

d412df3af3c10af259fd4cc58e68f00b
SHA1

2de05f08b05fb0abb4b24616db00d0ce1dec420e
SHA256

083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292
SHA512

9bcf5dca3811bed78e59bca04ca934965a93b00c53769de477f33d465279ec10d6355a66e841cecf439d783721784378fd570c0a7ce6af00c3c16aa58a29d808
SSDEEP

3072:01hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfWw:01hnJ6D1IxPtUyNrsHdmqEf

Score

10^/10

redline sectoprat stormkitty xworm metin credential_access defense_evasion discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Metin

C2

duclog23.duckdns.org:37552

Extracted

Family

xworm

C2

duclog23.duckdns.org:7000

Attributes

Install_directory
%AppData%
install_file
Chrome.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2780-121-0x000000001A6D0000-0x000000001A6DE000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Metin.exe	family_xworm
behavioral1/memory/2780-16-0x0000000000BC0000-0x0000000000BD4000-memory.dmp	family_xworm
behavioral1/memory/1596-120-0x00000000013A0000-0x00000000013B4000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\M2.exe	family_redline
behavioral1/memory/2832-15-0x0000000000DD0000-0x0000000000DEE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\M2.exe	family_sectoprat
behavioral1/memory/2832-15-0x0000000000DD0000-0x0000000000DEE000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-123-0x000000001D120000-0x000000001D23E000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2072 powershell.exe
592 powershell.exe
1736 powershell.exe
1624 powershell.exe

pid	process
2072	powershell.exe
592	powershell.exe
1736	powershell.exe
1624	powershell.exe

Drops startup file 2 IoCs

Processes:

Metin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe

Executes dropped EXE 5 IoCs

Processes:

M2.exeMetin.exeChrome.exeChrome.exeChrome.exe

pid process

2832 M2.exe
2780 Metin.exe
1596 Chrome.exe
600 Chrome.exe
1752 Chrome.exe
Loads dropped DLL 2 IoCs

Processes:

MalwareBazaar.exe

pid process

1824 MalwareBazaar.exe
1824 MalwareBazaar.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2832	M2.exe
2780	Metin.exe
1596	Chrome.exe
600	Chrome.exe
1752	Chrome.exe

pid	process
1824	MalwareBazaar.exe
1824	MalwareBazaar.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Metin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Metin.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
7	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeM2.exeMalwareBazaar.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareBazaar.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1432 schtasks.exe

pid	process
1432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeM2.exeMetin.exe

pid	process
2744	powershell.exe
2072	powershell.exe
592	powershell.exe
1736	powershell.exe
1624	powershell.exe
2832	M2.exe
2832	M2.exe
2780	Metin.exe
2780	Metin.exe
2780	Metin.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Metin.exepowershell.exeM2.exepowershell.exepowershell.exepowershell.exepowershell.exeChrome.exeChrome.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	2780	Metin.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2832	M2.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2780	Metin.exe
Token: SeDebugPrivilege	1596	Chrome.exe
Token: SeDebugPrivilege	600	Chrome.exe
Token: SeDebugPrivilege	1752	Chrome.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

MalwareBazaar.exeMetin.exetaskeng.exe

description	pid	process	target process
PID 1824 wrote to memory of 2744	1824	MalwareBazaar.exe	powershell.exe
PID 1824 wrote to memory of 2744	1824	MalwareBazaar.exe	powershell.exe
PID 1824 wrote to memory of 2744	1824	MalwareBazaar.exe	powershell.exe
PID 1824 wrote to memory of 2744	1824	MalwareBazaar.exe	powershell.exe
PID 1824 wrote to memory of 2832	1824	MalwareBazaar.exe	M2.exe
PID 1824 wrote to memory of 2832	1824	MalwareBazaar.exe	M2.exe
PID 1824 wrote to memory of 2832	1824	MalwareBazaar.exe	M2.exe
PID 1824 wrote to memory of 2832	1824	MalwareBazaar.exe	M2.exe
PID 1824 wrote to memory of 2780	1824	MalwareBazaar.exe	Metin.exe
PID 1824 wrote to memory of 2780	1824	MalwareBazaar.exe	Metin.exe
PID 1824 wrote to memory of 2780	1824	MalwareBazaar.exe	Metin.exe
PID 1824 wrote to memory of 2780	1824	MalwareBazaar.exe	Metin.exe
PID 2780 wrote to memory of 2072	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 2072	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 2072	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 592	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 592	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 592	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1736	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1736	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1736	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1624	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1624	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1624	2780	Metin.exe	powershell.exe
PID 2780 wrote to memory of 1432	2780	Metin.exe	schtasks.exe
PID 2780 wrote to memory of 1432	2780	Metin.exe	schtasks.exe
PID 2780 wrote to memory of 1432	2780	Metin.exe	schtasks.exe
PID 920 wrote to memory of 1596	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 1596	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 1596	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 600	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 600	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 600	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 1752	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 1752	920	taskeng.exe	Chrome.exe
PID 920 wrote to memory of 1752	920	taskeng.exe	Chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Users\Admin\AppData\Roaming\M2.exe
"C:\Users\Admin\AppData\Roaming\M2.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Roaming\Metin.exe
"C:\Users\Admin\AppData\Roaming\Metin.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Metin.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\taskeng.exe
taskeng.exe {DA789719-4A09-4FC0-A070-7EBA6F01C49C} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA2AB.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2C1.tmp

Filesize
92KB

MD5
df8f707fde4a4e68ffee7c48f6a9b7db

SHA1
6852a7a4c463c3853643439794ed130a41d0c90b

SHA256
dc4e84de932df42fc1d78aa17751a6e21e723ae60796cd400e0b01c26d1b0449

SHA512
9c99fb4dc2c7727a75a632e28d3d18b6b4736f4484720788f9410a4567bf4aa4ed74fc6448a6a7d7cdff7bb4787e906a0f1c4e05c41ba02473e900f6aee9b7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE43.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\M2.exe

Filesize
95KB

MD5
2598b5fee38d9c0979f009e77f94ea33

SHA1
9c2c0f0734fbf16853de911868024dfbed91e5ec

SHA256
00a709baca231f15267526d7b5db11cd94b0089ed6cfd1667a1ff2ebd584c266

SHA512
d6fa07fdfa6493c3abe95c650dca114b1737d8812fe86476ef8afbb1d34e50b537821a7958acdc243246484fc4f28dd208db4328663bbc22ec79ae34f3340c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UCA369KHR7970D9RPCLP.temp

Filesize
7KB

MD5
730f3c89a14a04e0f5d81237d5e3b806

SHA1
8c5b3e062a50814a79d1acb7f35094d8fa10466f

SHA256
67c0c5a5f534cd5a9b3e078979064f49cdd2c020248eb4b4096d7a6b27902ac4

SHA512
004bd8e9fa786c06dd4ef7e7210b9fca19cec17de545c67af96bdf987112160dee3c127bb8933f35607ea7ea187daeff7f6ca0281f7a3c978d32255574247dc6

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Metin.exe

Filesize
51KB

MD5
1d846637aa409d6dd4fd14f70a63f907

SHA1
a0f494b321ef5bd5b95f60d4ee9e4ae836d73b8a

SHA256
08a5ab51f8eee96d3837aaef4d74bf672d937056118003ecfa0e4df9dae49125

SHA512
259bd4d63bd69cdfd9a29303dc5ef3174136353daad23747c4589ed5b760d9905285211850bf49fde37c0ba355f3e463df6633a518affb270cfeb9f24885508c

Download Submit
memory/592-29-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/592-28-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1596-120-0x00000000013A0000-0x00000000013B4000-memory.dmp

Filesize
80KB

Download
memory/2072-22-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2072-21-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2780-16-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download
memory/2780-121-0x000000001A6D0000-0x000000001A6DE000-memory.dmp

Filesize
56KB

Download
memory/2780-122-0x000000001DCB0000-0x000000001E000000-memory.dmp

Filesize
3.3MB

Download
memory/2780-123-0x000000001D120000-0x000000001D23E000-memory.dmp

Filesize
1.1MB

Download
memory/2832-15-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads