redline | 4e30dc1786ef81954dc6d2055ca4c7cc2cb8b3a3af5443ea03885a7f38e96a80

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe
Size

596KB
MD5

7a1040ef3ed54b1643e695698d0e30b5
SHA1

e525239b4d0dbdba36d81a7dfa3dde58847dbaa1
SHA256

4e30dc1786ef81954dc6d2055ca4c7cc2cb8b3a3af5443ea03885a7f38e96a80
SHA512

3682a40eed206d16f170a8bb9693cf18bc27098827940b88671e5efaa48eb69eb104b349ec24612b4682628e8d8f3d4494687fd8d91d869d0e5a6d5020a28e9d
SSDEEP

6144:t+gToN7bairrnsDRnPZPU5GD3ZKOzcjp/aScxuEWMXu3OWaewWUSMYVy:tGN7uwzsDPPRZZzctapbSjJM7

Score

10^/10

redline sectoprat @dxpex defense_evasion discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@dxpex

45.14.12.90:52072

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2984-1946-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2984-1946-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3636 set thread context of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe
3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe
Token: SeDebugPrivilege	2984	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98
PID 3636 wrote to memory of 2984	3636	7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7a1040ef3ed54b1643e695698d0e30b5_JaffaCakes118.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/2984-1946-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-1948-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2984-1949-0x0000000006B90000-0x00000000071A8000-memory.dmp

Filesize
6.1MB

Download
memory/2984-1950-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/2984-1955-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2984-1954-0x0000000006630000-0x000000000673A000-memory.dmp

Filesize
1.0MB

Download
memory/2984-1952-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2984-1953-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/2984-1951-0x0000000005690000-0x00000000056CC000-memory.dmp

Filesize
240KB

Download
memory/3636-57-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-46-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-7-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3636-8-0x0000000006850000-0x000000000689A000-memory.dmp

Filesize
296KB

Download
memory/3636-9-0x00000000069E0000-0x0000000006A46000-memory.dmp

Filesize
408KB

Download
memory/3636-11-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-10-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-33-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-73-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-71-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-69-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-67-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-65-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-63-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-61-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-59-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-4-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3636-53-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-51-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-49-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-47-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-6-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/3636-43-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-41-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-39-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-38-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-31-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-29-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-28-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-25-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-23-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-22-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-19-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-17-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-15-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-5-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/3636-3-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/3636-2-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/3636-1-0x0000000000B10000-0x0000000000BA8000-memory.dmp

Filesize
608KB

Download
memory/3636-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/3636-13-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-55-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-35-0x00000000069E0000-0x0000000006A40000-memory.dmp

Filesize
384KB

Download
memory/3636-1947-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download