redline

Sharing

Copy URL Twitter E-mail

General

Target

c28d2d3e7aef0f83baf30eddee28a1f3328cefaec589161a34ac3a5a4832fe5c
Size

5.2MB
Sample

240908-khpeaawdnl
MD5

530eb1c86e66fbd09f591d02d100d94d
SHA1

d7a6f841d6035f91336d014f0c8d458368c70716
SHA256

c28d2d3e7aef0f83baf30eddee28a1f3328cefaec589161a34ac3a5a4832fe5c
SHA512

62e927052451208c47b2683c5bc0074159636ac9ceebd856ac1f7730890998569f9b0572b9509f4cc466b299f6fbcccb4ba118d2d2d3b1fe8331c7c6864509f5
SSDEEP

98304:FlzCf/IMBa9Yx7Hx+iujelfdGuZ0+VTTjTBdljDvQwaY:Fs/IMiY+iuKvGuZ0+VTTBdx4G

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

lovato

57.128.132.216:55123

Targets

- Target
  
  RFQ-Al NASR-00388/AMMonitoringProvider.dll
- Size
  
  204KB
- MD5
  
  f2ae2445ac7eca1ee8480321b03241fa
- SHA1
  
  21ab4051f98e1c1e1b4f415b5a8f0589a02137b1
- SHA256
  
  8da3d256ef7df249138d8e934fbd74fda8f31c5b5758f26a757f2c686e1debdf
- SHA512
  
  6cde8462b6f63d881d74f40f7eb7336b9c86d0375e883b8665808c5e07818d9224c72597f63fc283c7e3e82d02fa6a5def17518ddd8fd0a23a4555af3ede88df
- SSDEEP
  
  3072:PCUZghW+1ao8vg/i/Tp5Co0hTgk0sXMvmcJNa+BTKTeehWKx3UjpoYfAdK+:PVZgh91h8npohmvtaMuU5s
Score

1^/10
behavioral1
- Target
  
  RFQ-Al NASR-00388/EppManifest.dll
- Size
  
  1.0MB
- MD5
  
  e1414283b5fb25e3a0aa034104e187d3
- SHA1
  
  ca6b4f68ee7a0b17072962f9d93bb10ecfb3a46f
- SHA256
  
  5768486507ce07e7c387e409714244fe2a96b33d1666d24825aa181ac3cef5bc
- SHA512
  
  ca79757602b50d82790e8583187e4a18b8a1b9e81a4ad4f1233e0cadab3fe8ca874cb1bef267953ab5a0b82f0df8392a10dab68129249af9a210068e384f8717
- SSDEEP
  
  6144:qmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJ2:4/6qa37L5
Score

1^/10
behavioral2
- Target
  
  RFQ-Al NASR-00388/MpAsDesc.dll
- Size
  
  204KB
- MD5
  
  ba2b29557ff5f4f3a7a55306d25b8d2b
- SHA1
  
  ca5dd5da467c755daa8be068397936c8de41057d
- SHA256
  
  5bf78317f21a79e0e6d48d68c30532888a7f5b3b629ef240733befff3619e9a2
- SHA512
  
  00b643281b0b49113fc6aa7ff1d234089c184a4080213065d96a13e39fedfc6f066d313469726d373a8c962e730a264226cd682d41f03a2e0ca15e8eb4f5d30e
- SSDEEP
  
  6144:vmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJ/:Nf
Score

1^/10
behavioral3
- Target
  
  RFQ-Al NASR-00388/MpAzSubmit.dll
- Size
  
  1.3MB
- MD5
  
  29fc71aa129a9497803a61161004aa61
- SHA1
  
  caff58ec07fbbd4dfd1140c79d25f83b99e04943
- SHA256
  
  f3b280576feb4afbcbde840007aa7be5ebce5e152256a65969d465f52b5a774e
- SHA512
  
  dbe6f35ca7ef6cae6aad5dd4599ed60798dc30ae7bf7540acba0ca470cc046b059b7bd1e697b7676eaace7cce2ddf15b7207a60d62e81d3e60de498c78af9d12
- SSDEEP
  
  24576:4nrdWCSqDgk/2SQXyWZTfKC6WQogiGCRku1kHfHdSHlTOaV:4nrdWCdDD25XyWZTfKC6WfTGCRH8VSN
Score

1^/10
behavioral4
- Target
  
  RFQ-Al NASR-00388/MpClient.dll
- Size
  
  3.6MB
- MD5
  
  49f9c936bca301980b396c1e77dbfdc5
- SHA1
  
  b244f22b9f0edd704208c70c5edcdeeb0f482785
- SHA256
  
  0bcae13c3c6a956c31919b6e681362319235a0c7cbccaaea3ecb9e53f02004ab
- SHA512
  
  b0b0a4a2b3534ad1312f64e5914464b0772a3fa3089dfc1108c60bff73b7305985a03c8975ac646a2fb19b2c63c768aa2a7c365e2d0f9e1a4b46255f26092426
- SSDEEP
  
  49152:FERpO77Yn0cP2Sd2y8gikPsQy2a2mZDeP5mgFTiPejKDv:qrz1Uh2mZAiv
Score

10^/10

redline sectoprat lovato credential_access discovery infostealer rat spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
behavioral5 behavioral6
- Target
  
  RFQ-Al NASR-00388/MpCommu.dll
- Size
  
  332KB
- MD5
  
  5fb1ac615c3c72df4dec02a64b7fd379
- SHA1
  
  f1491c11f9b793f758fdcd613a5e28b725f2d06a
- SHA256
  
  ca77dd6e870173ab419d43e56fb4446c6cf4493707287864049ce8b5e951ddec
- SHA512
  
  c227c1f91dd8105e7bb6b52365199251438a3f85df20d513c2956455b607d3e10fd5e7d5c8cd7cc01a4bb24cf6a240c28e5ef0c8ae6fc0f42970a1c9efe82973
- SSDEEP
  
  6144:AOpiJ7wnqa2EwPCaIAjB+9e20RG1yMuYLg4Ly:CJc2geH2r1xuey
Score

1^/10
behavioral7
- Target
  
  RFQ-Al NASR-00388/MpDetours.dll
- Size
  
  144KB
- MD5
  
  f574acdcb210e1f8bbc4733d3af82d6f
- SHA1
  
  378ac1d79194a8d7e9936a595bd9db2adadeb268
- SHA256
  
  af54dac2f73f6fb212b5dcacfac67b531cf0b79fc1e2fa6b82c5b895d892ec9f
- SHA512
  
  619b5ec15e3a310013405318ce61caa7cac94fcffa546e16069b59a22dff5261fb7d153c7e6e98976cc3ce04b55b54afa3ad2e9eef5e41660454ddb4aafc8978
- SSDEEP
  
  1536:Lzg3khUUc4YEaW4D50FyMPwL08Tnd9A+DkLkI44PWwmTZ5JmofbHPl:Lc3WqVW4d0FyMPwL02dxBZlNHmofLN
Score

1^/10
behavioral8
- Target
  
  RFQ-Al NASR-00388/MpDetoursCopyAccelerator.dll
- Size
  
  96KB
- MD5
  
  40a4995ae0098699dd471f992b4b4258
- SHA1
  
  d5e081ba5351b4cd19868f2cfd6962ee8f6aac10
- SHA256
  
  d85e1d836fb03807fece7c5868e206657e909762e3800d164dfbe90113495710
- SHA512
  
  185c225d7936c336d4a80c02d4d68045a1c942e7ed29dbc0f6b13ff9e52b845a80dfe25242dd1b91e62f4fd246093dd61563a8e8dfe0ad9fda3f3943415d7826
- SSDEEP
  
  768:hNzheLdkDvic8/sNEOBtDi187q7ZsH8P2o4wp1tYjeVmQqiKaMSve2kN38cU+ZwE:okqcE22/7ZDe8p/YjoIh2kNdZU5HPY
Score

1^/10
behavioral9
- Target
  
  RFQ-Al NASR-00388/MpEvMsg.dll
- Size
  
  140KB
- MD5
  
  9df51191844f79c00ad90076934496f8
- SHA1
  
  87f560d1686d58403b9fe6887eaf50b502d41727
- SHA256
  
  147e36a2c7b205cda744d7f7f7da17b9b60b26a4a62426fc169f82fd2687aca0
- SHA512
  
  9c5acb22c545e47c391cb3701c56ffd6f1729788fddde88cc42b8f622190ff79d154a2ebd4436d5be1acbe8c1c60fe96021e68a0c3e95465dd7831d290112eaa
- SSDEEP
  
  1536:OpD0UQih10Z/gnPH8iydExI6SqiyiS+2Jl5BBwugb81qz+4JbcMKPOVN:Od0UQJyQ
Score

1^/10
behavioral10
- Target
  
  RFQ-Al NASR-00388/MpOAV.dll
- Size
  
  484KB
- MD5
  
  394c2ecad239aa887188a7c8fdfc44b8
- SHA1
  
  0cc4f07cd5c2989efcd35f730a3690f9d1540a73
- SHA256
  
  f79c12abba8c5850906cb4d69a5b7f274786a7a4f6dcd94740c37fdf7fe0f290
- SHA512
  
  04171b4706d9ef3956635ed2d80ddacfef4e0396573af0da56b614dc821b2f5bf4ace94c26f1151636ee3732dbccba9a8d46fe6349950a4fe05c482494b1b636
- SSDEEP
  
  6144:uzNxZHzwalKMy0kdi2b5zQTubTU1LhqJULrin5CJVA/miTVVmVVV8VVNVVVcVVVi:uZxekAbhQTMU1tqJULraeA9N
Score

1^/10
behavioral11
- Target
  
  RFQ-Al NASR-00388/MpProvider.dll
- Size
  
  196KB
- MD5
  
  497fddc79f3c2ccbc65ede5cdb35f9b2
- SHA1
  
  1c2c2b6890ef6d94b29541d6a7bb5462164680b9
- SHA256
  
  3c5f90cda4b1cb8d12639385eaacc69aa96ae87b6fe257e30462dce558f1ae9a
- SHA512
  
  887d48d85f65ca9e4ebff6507bef4cc85016f5f26876948491bbbdc8ba46a991b56b9e610a12dc9f4ec3de56af186d6bf390ab786aef79d28a1f59cb63353902
- SSDEEP
  
  3072:que5tMF2FF41ZzjFwDB8XRf2oCSoqGoVQqya+TQMKTecepGimhkpTUNucix:que5Q2FFiFUBeoSxiHadimhmyQ
Score

1^/10
behavioral12
- Target
  
  RFQ-Al NASR-00388/MpRtp.dll
- Size
  
  1.3MB
- MD5
  
  b09a6e712989c71682b0b1593e4321e5
- SHA1
  
  526221185dfe858ffc50df59c102c53285732296
- SHA256
  
  ceef3fa431feef63744a02f292e8435bfb9d02653ff5ca1e4e397a8eda9b8c25
- SHA512
  
  c70ce87e5825fc0bf5462f2eca3bedb5b7c4af7806eeb87d69fcd510411cb8c84ecdf9efb1db0d7593dc14599a4fc3fe6a49aece821139bf08e753bc57f109da
- SSDEEP
  
  24576:p6sXqIv70PO2EU9aGvjPVHjIjrcWLOUpJtdcb1iehP:Ms6Iv7CE30LVHjIjwWiWJtdcb1iehP
Score

1^/10
behavioral13
- Target
  
  RFQ-Al NASR-00388/MpSvc.dll
- Size
  
  2.6MB
- MD5
  
  86449a4a33d1e34d66e146d53e72fc3c
- SHA1
  
  b8ed197af58656c6d2882e23aeccb08b1b214649
- SHA256
  
  2e85cc2a6f6ddf3d42fc258a8a9f3bcdbf46716b3c1bed09fda7242de1b245c2
- SHA512
  
  40ed419a70940aec9b8c4538ca9ed6bdbea6a2fde5f2d07777fba39c0566042ba5a0a37671331b832d83d88fa30e1a1034dd9355fd36e1a493dda20d797ebb2c
- SSDEEP
  
  49152:ttOlyJu7/mLqqrrMmgGSUaUrhqgs2078QqLQaQRGcUeGvflwcN:brJjFM81P+c3N
Score

1^/10
behavioral14
- Target
  
  RFQ-Al NASR-00388/MsMpCom.dll
- Size
  
  104KB
- MD5
  
  a27e3c773d4800429a39263dbe98e24d
- SHA1
  
  9f22ad93234749124b2fa5ac331ef4bb7662256d
- SHA256
  
  e96f24e730197d66ddb3f8a2f54a121523160187beb1bbccb5883ffe4b19fa0f
- SHA512
  
  94c24ca6e509a1df002cb93c5bf156d75e30d62ff9db0b570559f674e07d8b995fab622ce6ab057ac059030a3f53153e8205408924c31a6711af4d5a29e6cff4
- SSDEEP
  
  1536:NgzKUT0gEuOIv/5z1CWiRyPY1QYiYq8dJsqfVNt+QhKTeuq4lMYe7Pg:4Km0g8IgJQhYqG7fVNt+QKTeuq4lMYOY
Score

1^/10
behavioral15
- Target
  
  RFQ-Al NASR-00388/MsMpLics.dll
- Size
  
  20KB
- MD5
  
  c1fe13a9fbd581d6acf72afe3264fb3c
- SHA1
  
  fc4f46a421bc2574876bdd9a5134b9a0973a05ba
- SHA256
  
  8135ee0b4e92fe29dc07884079e7bf2300982b690f80ef7698eef33e8d694c78
- SHA512
  
  6d90169e2d74ddc3a4a196a8844e314aaf77799af4d83356171a4095fc3f97838359e7b5559df9e7ae2a780b115bec2c957adbb994fe5bd1fd8ade8cf858c40d
- SSDEEP
  
  192:cWgbHWQALc2Fu462TNvxjB1RDBQABJ3KNjpC52qnajOYa:cWgbHWQ1MJLRDBRJ0NliF
Score

1^/10
behavioral16
- Target
  
  RFQ-Al NASR-00388/ProtectionManagement.dll
- Size
  
  708KB
- MD5
  
  dae4004e0a642f88be3029dc4fe3b1ff
- SHA1
  
  dae88a84f80247b0e6a952c3d5696b28916d259a
- SHA256
  
  f532f803a9040930b10a880ba4d1ed62d44a15756c31a487ea8e90a67bfd3078
- SHA512
  
  95d6d4b48a8e9f65cf4836b25bae6792fbacf9be6afd9fc5a5eb820095bd62bcc401201e1c9c5fd0b7837b0113ef90e1acec14dfc07844a67069cf6981c5757f
- SSDEEP
  
  12288:mtmhr/XZihWuchRxWT53/gehV0XDU4KAZBj2G4W7q:FrYhWTl5XDPv1q
Score

1^/10
behavioral17
- Target
  
  RFQ-Al NASR-00388/RFQ-Al NASR-00388.exe
- Size
  
  165KB
- MD5
  
  be0f22a9ca20cf368fbd17e5afd29b75
- SHA1
  
  0d4b2f8be1ad496961a0baf3210d074f471f3817
- SHA256
  
  988ad96cba3b6d7aeb50c3c1c83e9abfc05e7bad5ae0e58d7d93ae55369e7a29
- SHA512
  
  1f0f44173bf9d67d112fa2e1bdfcf7544027eb2c6df2a94c1e4f8559a8074d4435805888948eda011c7377372d68552ec65418c8de0f29cf2ee489cb1f223416
- SSDEEP
  
  1536:FHtTzHtyfEpZeTHfFH1DCZ4ZjHSxANkKTeWC5HlhX/BQGOLPT:xtnhpYL51DpqANkKTeWC5HlhvilLL
Score

10^/10

redline sectoprat lovato credential_access discovery infostealer rat spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
behavioral18
- Target
  
  RFQ-Al NASR-00388/endpointdlp.dll
- Size
  
  564KB
- MD5
  
  4433f83c04f409eaea6e9d8e36708684
- SHA1
  
  83f1d33c8babac4bb474ebd335f75a10d2971c64
- SHA256
  
  4804ae834ca909178f3e9d6876209aa10851a36bc4edafd75a571e980013da1d
- SHA512
  
  87a4db85ad47bc148223a22972d08962a57db07adf0b1ba19d279c2b57aa063c981d4d55106ea1ba85f239902ce4ff83272f476aa6b6447bd49319bfe9c8eb94
- SSDEEP
  
  12288:GPaUIpEjKRSSj6imoza9hzg1glUEv2k1ukJaFV4HojFQZLgc:AaJaKRx6XgUUm2kvaFs3gc
Score

1^/10
behavioral19
- Target
  
  RFQ-Al NASR-00388/msvcp150.dll
- Size
  
  2.5MB
- MD5
  
  b4b0085158f97323158ab8438782e550
- SHA1
  
  e78baa7f2a611486196aa64485a1d762b9f88323
- SHA256
  
  6840c478bf1a0d427d1c592d5a2074bc3d4d114d8951238e6c0ee5660cf37d00
- SHA512
  
  e88c88456ee9451cbcfa3732d725f54302bcd4228921057f571fc2c0d594f52a0786888c6a7ff539afeb8e89372bc845d7685353b321ee4ae331febb5d31f896
- SSDEEP
  
  49152:yHTk0p9NWVfn/gm5Ohdl8gFrW5uuSvTzVD:F8dSuuc
Score

1^/10
behavioral20 behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RedLine payload

SectopRAT

SectopRAT payload

Credentials from Password Stores: Credentials from Web Browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Credentials from Password Stores: Credentials from Web Browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21