redline | 307667567a5f713026d9ad4ed58da0586382a71243ca0c4f4ce0849102176ed2

General

Target

8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
Size

1.2MB
MD5

7561d69fdc62a8a8647f7c33d4413ee4
SHA1

e28b5cbfc7f41e998fab1b1d33b419cfd7f85d64
SHA256

8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0
SHA512

93b4606197a9e76ae73f1eebbc38c0dede308d29f7d8b4228f86546ea59223fe395718fe52059af1299dfa353d9dfb0f456489d8d6c502d70be98b062149f7df
SSDEEP

24576:I1DT7B3uSHk1C5P9ILvWJ3oTJwP85+2HEPR/ekRn1RY5:I1/7BxwC99a03v8+2HEp/1n12

Score

10^/10

redline sectoprat invasionvaloranthackv3.1 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

InvasionValorantHackV3.1

C2

45.67.231.218:15411

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-2-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-4-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-6-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-8-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-9-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-10-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-11-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-12-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-13-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-14-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-15-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-16-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-17-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-18-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-19-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat
behavioral1/memory/1732-20-0x00000000000B0000-0x0000000000452000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe

pid	process
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
1732	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe

pid process

1732 8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe

C:\Users\Admin\AppData\Local\Temp\8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe
"C:\Users\Admin\AppData\Local\Temp\8ef92577590803fac7d0c5b918e25f37b74b87bcf353806c6b2ed81ae4a584c0.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-0-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-1-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-3-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-4-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-5-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/1732-6-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-7-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-8-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-9-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-10-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-11-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-12-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-13-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-14-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-15-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-16-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-17-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-18-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-19-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download
memory/1732-20-0x00000000000B0000-0x0000000000452000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads