redline | 0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac

General

Target

0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
Size

335KB
MD5

5f0cbbbc92b819788822357b8a613be0
SHA1

1d71cf5e1850f8e16bd152d6431d142f410ecfb1
SHA256

0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac
SHA512

953895e98bdcb2641715858727978685c9e3d797e8cc6810eb8b4915b7f01e038d3303e2a0f41f3f0d7e27f1129059f0f85f95e06ff3283a0313f1950d222b31
SSDEEP

3072:NVu9BB/QNxfTGtTL2M4zNYvf4jzo0iY4eJ6pWfjVIN73LXMxJlWzqn/5qCh93gZH:TuVQTfKpaVxQAA0iVfLRkOM0I4R

Score

10^/10

redline sectoprat seat_tight discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

seat_tight

C2

45.144.29.19:24123

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4448-11-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4448-11-0x0000000000400000-0x000000000041C000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
Token: SeDebugPrivilege	4448	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3212	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	99
PID 2108 wrote to memory of 3212	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	99
PID 2108 wrote to memory of 3212	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	99
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100
PID 2108 wrote to memory of 4448	2108	0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe	100

C:\Users\Admin\AppData\Local\Temp\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
"C:\Users\Admin\AppData\Local\Temp\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
  C:\Users\Admin\AppData\Local\Temp\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
  2⤵
  PID:3212
- C:\Users\Admin\AppData\Local\Temp\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
  C:\Users\Admin\AppData\Local\Temp\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0fe725bd750613095e9bc1e9eec8fa6804205d7a5aec00d483a2ec6fa547feac.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
memory/2108-10-0x0000000005FB0000-0x0000000005FBE000-memory.dmp

Filesize
56KB

Download
memory/2108-3-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/2108-1-0x0000000000A90000-0x0000000000AE8000-memory.dmp

Filesize
352KB

Download
memory/2108-4-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2108-5-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/2108-6-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2108-8-0x0000000005740000-0x00000000057B6000-memory.dmp

Filesize
472KB

Download
memory/2108-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2108-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2108-9-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/2108-2-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/4448-23-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4448-14-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4448-16-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4448-15-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4448-18-0x00000000050F0000-0x000000000512C000-memory.dmp

Filesize
240KB

Download
memory/4448-20-0x0000000005130000-0x000000000517C000-memory.dmp

Filesize
304KB

Download
memory/4448-19-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4448-21-0x00000000053A0000-0x00000000054AA000-memory.dmp

Filesize
1.0MB

Download
memory/4448-22-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4448-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing