redline | ec851b0e580334014882ec97f7d2a44ee82d3c5f3c2e5bd86971d474dd0442a1

General

Target

e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe
Size

95KB
MD5

4622038cc281fbc35d0cfce6c5a595e3
SHA1

6f68e253ba656556e0eac9c4dafe6fdadb4c39f9
SHA256

e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e
SHA512

f5114998a7cfb51a7dec1477b2b3a026fd5a504ac9d4a16bb761ae09fe55074468944a5aaf7c66ed5c67aefdab2b62ca544a3b22ac7d245a0c9ffd11a8c298f3
SSDEEP

1536:Oqs+EqJ8lbG6jejoigI/43Ywzi0Zb78ivombfexv0ujXyyed29teulgS6pc:sDukY/+zi0ZbYe1g0ujyzdZc

Score

10^/10

redline sectoprat blackhatrussia.com clean credential_access discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

blackhatrussia.com clean

C2

51.89.201.41:29254

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4952-1-0x0000000000210000-0x000000000022E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4952-1-0x0000000000210000-0x000000000022E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe
4952	e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe

C:\Users\Admin\AppData\Local\Temp\e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe
"C:\Users\Admin\AppData\Local\Temp\e4d67649c7704c50925bcd3fe6ac345cba54d118407f28f6550b398671b0284e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC11E.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC134.tmp

Filesize
114KB

MD5
f0b6304b7b1d85d077205e5df561164a

SHA1
186d8f4596689a9a614cf47fc85f90f0b8704ffe

SHA256
c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7

SHA512
d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC150.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC175.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC18A.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1A6.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/4952-5-0x0000000004B30000-0x0000000004B7C000-memory.dmp

Filesize
304KB

Download
memory/4952-13-0x00000000065B0000-0x0000000006642000-memory.dmp

Filesize
584KB

Download
memory/4952-8-0x0000000006080000-0x0000000006242000-memory.dmp

Filesize
1.8MB

Download
memory/4952-9-0x0000000006780000-0x0000000006CAC000-memory.dmp

Filesize
5.2MB

Download
memory/4952-10-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/4952-11-0x0000000007260000-0x0000000007804000-memory.dmp

Filesize
5.6MB

Download
memory/4952-12-0x0000000006490000-0x0000000006506000-memory.dmp

Filesize
472KB

Download
memory/4952-7-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/4952-14-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/4952-6-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/4952-4-0x0000000004AF0000-0x0000000004B2C000-memory.dmp

Filesize
240KB

Download
memory/4952-3-0x0000000004A90000-0x0000000004AA2000-memory.dmp

Filesize
72KB

Download
memory/4952-2-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/4952-1-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/4952-188-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing