redline | dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa

General

Target

dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe
Size

1.2MB
MD5

b0171a35d97747c25578e7e4ce4e49ec
SHA1

aadf5fcd323f63505f993108e700a24361ce1b82
SHA256

dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa
SHA512

033039c1dd16fbea103de65a62918363603bcfcb42e9ccf473573c07a20971049a99c763d8a5a7abee659c215c1c51f3674aea3de1087bc9e5c06b3fb3a74873
SSDEEP

24576:5yeATtmuSHfF1JR95/3wKgV/1vA3Yy4WQOJ:5MAF1H95/3avA+WjJ

Score

10^/10

redline sectoprat ultimatecrackpack credential_access discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

C2

51.83.170.23:16128

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2984-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2984-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2984-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2984-35-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2984-34-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2984-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2984-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2984-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2984-35-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2984-34-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 2 IoCs

Processes:

Ultimate-Crack-Pack.exeUrl To Dork Converter.exe

pid process

3028 Ultimate-Crack-Pack.exe
2632 Url To Dork Converter.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3028	Ultimate-Crack-Pack.exe
2632	Url To Dork Converter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\msconfig.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration\\msconfig.exe.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2452 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ultimate-Crack-Pack.exe

description pid process target process

PID 3028 set thread context of 2984 3028 Ultimate-Crack-Pack.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2452	powershell.exe

description	pid	process	target process
PID 3028 set thread context of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeRegAsm.exeUltimate-Crack-Pack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeRegAsm.exe

pid process

2452 powershell.exe
2984 RegAsm.exe
2984 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2452 powershell.exe
Token: SeDebugPrivilege 2984 RegAsm.exe

pid	process
2452	powershell.exe
2984	RegAsm.exe
2984	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2984	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exeUltimate-Crack-Pack.exe

description	pid	process	target process
PID 2180 wrote to memory of 3028	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Ultimate-Crack-Pack.exe
PID 2180 wrote to memory of 3028	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Ultimate-Crack-Pack.exe
PID 2180 wrote to memory of 3028	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Ultimate-Crack-Pack.exe
PID 2180 wrote to memory of 3028	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Ultimate-Crack-Pack.exe
PID 2180 wrote to memory of 2632	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Url To Dork Converter.exe
PID 2180 wrote to memory of 2632	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Url To Dork Converter.exe
PID 2180 wrote to memory of 2632	2180	dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe	Url To Dork Converter.exe
PID 3028 wrote to memory of 2452	3028	Ultimate-Crack-Pack.exe	powershell.exe
PID 3028 wrote to memory of 2452	3028	Ultimate-Crack-Pack.exe	powershell.exe
PID 3028 wrote to memory of 2452	3028	Ultimate-Crack-Pack.exe	powershell.exe
PID 3028 wrote to memory of 2452	3028	Ultimate-Crack-Pack.exe	powershell.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe
PID 3028 wrote to memory of 2984	3028	Ultimate-Crack-Pack.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe
"C:\Users\Admin\AppData\Local\Temp\dd2bdb615eff30354ba6a94d817c183fddb311b865bf3e97c370e402acc789fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Roaming\Ultimate-Crack-Pack.exe
  "C:\Users\Admin\AppData\Roaming\Ultimate-Crack-Pack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Users\Admin\AppData\Roaming\Url To Dork Converter.exe
  "C:\Users\Admin\AppData\Roaming\Url To Dork Converter.exe"
  2⤵
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6CFE.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D13.tmp

Filesize
92KB

MD5
e155b11eaa9d52d9fea781a3c7a52c90

SHA1
02467076895b88c0e1f8cb202d5c3db9ea2f59ed

SHA256
c5179cda73c35bf9b7677fd9c5d0fe90a7ad0889e9cf8d6886efaadc8fe1b15b

SHA512
5d1e533b4d91b5a774df192df82028c6824579c30a968ea6c68b4b0a2586d172822a9788b0f5eb8dc5c739be313538908b5871bc11b78f9840f8919cfc52f9cf

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate-Crack-Pack.exe

Filesize
115KB

MD5
dc6f230a993249cbe632aea3edbbd63e

SHA1
ee67ed14eb647918d0d7ffd11ba7b665eeb19c27

SHA256
a6c001e47fd68b6c97fa484c5c98f918eed5d231bd8f1a4e4ad65af20788118b

SHA512
7e9b46e5d8e8fa609c839d570cf6cf80c7464de553f094e02b6f86e96dc81ce65a1f5f071acd6fadec9d1f4690f48972d4425a7dc2bb0bab7d0588eae81fa5e2

Download Submit
C:\Users\Admin\AppData\Roaming\Url To Dork Converter.exe

Filesize
754KB

MD5
b2ff28b8489e73db64796ea27717faf1

SHA1
26afa624fb3b99049754f726a91df7c270e1d5fb

SHA256
d177c6de17fe9ee456edddaf814aac4107a239fced43994364b57678c751cfc5

SHA512
44c8f3d59102772153d277f138904275e5a7c6db9f64dcdc745e0633f178e9f27aec132bb9f5e7a0c128310814819b8bd142e05e60578e0d97b4296b67314d85

Download Submit
memory/2180-1-0x0000000000CE0000-0x0000000000E1E000-memory.dmp

Filesize
1.2MB

Download
memory/2180-0-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

Filesize
4KB

Download
memory/2632-19-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2632-16-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2984-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3028-20-0x00000000002E0000-0x0000000000302000-memory.dmp

Filesize
136KB

Download
memory/3028-18-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/3028-17-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/3028-15-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads