redline | d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce

General

Target

d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe
Size

1.0MB
MD5

742700f0677d095a5d38f64abf5042d7
SHA1

bc3e9168d9f2d4c2dba2fdc00b725ac9199d82c3
SHA256

d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce
SHA512

b45e67c130e2209531efd6fd7d28d9e9f4e79209cc9ebbcecb13e310d6c12c720321062d497b9a3721d93557200ac1a64bea949a78bd2259f9cef24a5329e9c4
SSDEEP

24576:u9btxEObap2SDlQYPFzk6FnYp7HKmfe+ky24B:uNNbA2YQYPFzk6RKHre+kV4B

Score

10^/10

redline sectoprat 3333444555666 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

3333444555666

C2

80.92.206.82:45827

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2248-30-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline
behavioral1/memory/2248-34-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline
behavioral1/memory/2248-33-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2248-30-0x0000000000090000-0x00000000000AE000-memory.dmp	family_sectoprat
behavioral1/memory/2248-34-0x0000000000090000-0x00000000000AE000-memory.dmp	family_sectoprat
behavioral1/memory/2248-33-0x0000000000090000-0x00000000000AE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Executes dropped EXE 3 IoCs

Processes:

Ottobre.exe.comOttobre.exe.comRegAsm.exe

pid process

2024 Ottobre.exe.com
2496 Ottobre.exe.com
2248 RegAsm.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeOttobre.exe.comOttobre.exe.comRegAsm.exe

pid process

2916 cmd.exe
2024 Ottobre.exe.com
2496 Ottobre.exe.com
2248 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ottobre.exe.com

description pid process target process

PID 2496 set thread context of 2248 2496 Ottobre.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2024	Ottobre.exe.com
2496	Ottobre.exe.com
2248	RegAsm.exe

pid	process
2916	cmd.exe
2024	Ottobre.exe.com
2496	Ottobre.exe.com
2248	RegAsm.exe

description	pid	process	target process
PID 2496 set thread context of 2248	2496	Ottobre.exe.com	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exefindstr.exeOttobre.exe.comPING.EXEOttobre.exe.comRegAsm.exed9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ottobre.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ottobre.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2168 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2168 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2248 RegAsm.exe

pid	process
2168	PING.EXE

pid	process
2168	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2248	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.execmd.execmd.exeOttobre.exe.comOttobre.exe.com

description	pid	process	target process
PID 1688 wrote to memory of 2900	1688	d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe	cmd.exe
PID 1688 wrote to memory of 2900	1688	d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe	cmd.exe
PID 1688 wrote to memory of 2900	1688	d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe	cmd.exe
PID 1688 wrote to memory of 2900	1688	d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe	cmd.exe
PID 2900 wrote to memory of 2916	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2916	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2916	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2916	2900	cmd.exe	cmd.exe
PID 2916 wrote to memory of 2936	2916	cmd.exe	findstr.exe
PID 2916 wrote to memory of 2936	2916	cmd.exe	findstr.exe
PID 2916 wrote to memory of 2936	2916	cmd.exe	findstr.exe
PID 2916 wrote to memory of 2936	2916	cmd.exe	findstr.exe
PID 2916 wrote to memory of 2024	2916	cmd.exe	Ottobre.exe.com
PID 2916 wrote to memory of 2024	2916	cmd.exe	Ottobre.exe.com
PID 2916 wrote to memory of 2024	2916	cmd.exe	Ottobre.exe.com
PID 2916 wrote to memory of 2024	2916	cmd.exe	Ottobre.exe.com
PID 2916 wrote to memory of 2168	2916	cmd.exe	PING.EXE
PID 2916 wrote to memory of 2168	2916	cmd.exe	PING.EXE
PID 2916 wrote to memory of 2168	2916	cmd.exe	PING.EXE
PID 2916 wrote to memory of 2168	2916	cmd.exe	PING.EXE
PID 2024 wrote to memory of 2496	2024	Ottobre.exe.com	Ottobre.exe.com
PID 2024 wrote to memory of 2496	2024	Ottobre.exe.com	Ottobre.exe.com
PID 2024 wrote to memory of 2496	2024	Ottobre.exe.com	Ottobre.exe.com
PID 2024 wrote to memory of 2496	2024	Ottobre.exe.com	Ottobre.exe.com
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe
PID 2496 wrote to memory of 2248	2496	Ottobre.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe
"C:\Users\Admin\AppData\Local\Temp\d9184ae3da1eafd4621efd0b4c79c0fd01a25b8dfaf876aa57aa100f5f5a1bce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Mantenga.mp3
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^QPNBDrUDoFoyGwGysTHVztNiZkZuxkPcfkELVDJSyIjUmeLqWapdhcHMeGBsrOoXPMQcvUlOpOPLSSHWA$" Narcotico.mp3
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ottobre.exe.com
      Ottobre.exe.com a
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ottobre.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ottobre.exe.com a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenga.mp3

Filesize
322B

MD5
b8ed7fb3e3c7514c05c803eba3c4b1b3

SHA1
eba88818b0a4f5eb6163121725d7f74f77e8b10c

SHA256
20efd6eda1c9c4a2724ba6fbb26e6f577c63ad7c09a13789ec94c6c9c0b91e0c

SHA512
d45874180632f42cc8f2291c7a141e19fa1854a4345fd3a9ec6578665a3ead3341babfbdf3aa9d018dddab14e95b6e2e3ddcd274543378798564f7dc0d59f620

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Narcotico.mp3

Filesize
872KB

MD5
aa769a297369ef30a241f3eb1695a2d7

SHA1
79ed28b30dd7c83b77f65cd82cf4c1bacfaabc7d

SHA256
a5aeecf59a359789311c064bcb9f72cca6d2a0cbc5c4cb85757e5a80619bf571

SHA512
b089ebcfc5d787677acaf7a1071f066ab181fc88fc4c909ac9518c771be6d3e2dc5b409833c443d9e5993f8e9e7633978ba3724a29cac2b53c272d5d393403de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Officio.mp3

Filesize
985KB

MD5
4ba3f3e6275d92afab152791d3cb3afa

SHA1
bdf766055f4022af5cb45b8aaa5cca3e7ac3aa34

SHA256
fed5b872713d9c1a8e7cc6ab7d47b40e9875cc3069ea255718ee7cda8157fefa

SHA512
598e715c32d11dd3e25b5db43bfe984caadddb7913c960f6112ab58bea9d3c544d60210bc21c4604ac9c5e6eb14c67f798de0376c9f2cf5f37ea80ea7e8af48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sul.mp3

Filesize
95KB

MD5
c489cbd0c9ccd192846a6eeb8e05966f

SHA1
8fd1c889aeeaab666f56bdb9ddc4466681e35b0c

SHA256
a4acc07cf3d307a00d02b366dbb2c749f6a3efa9bd2f4581f90a6906b004a483

SHA512
d311787e287f8ba8f5ab44e6b2953f6bda216d3e68d354371e92198ffe3a3f054e43b2d1105a353059682fc655685ecf09a228c9790d7445de4a3e12d6732f3f

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ottobre.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2248-28-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/2248-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2248-30-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/2248-34-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/2248-33-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads