redline | 7095ea6370e2e8185b67f10ab1f4474c54c9e32ab720f9812c357f06c58b1582

General

Target

MAIN PRODUCT LIST.exe
Size

862KB
MD5

811c545aa729514b90bb9fd23c59d3b3
SHA1

7336cc7e0c07510578b2ae17ec1ff9d13d076951
SHA256

f6f4b5609a801705b82bf007e6bb17b79113c0c53641aea3be0a868bf7546fab
SHA512

16876ec3527da4220cbd37acd8e8799cf879b32ab5756eb2f894fe969bc41483fb7652a272e4776306763b31efdf6e94f9709e1c23575c7bf80bcb7333af6d9a
SSDEEP

12288:CWWCcL0nsDi0Q00QEhqIlq+1j1XCGziBYqPWaDgT2YnhQO86GwkR:bWonNmO5Cw0PWajZO86E

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.252:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2636-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2636-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2636-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2636-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2636-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2636-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2636-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2636-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2636-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2636-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2872 powershell.exe
2752 powershell.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

MAIN PRODUCT LIST.exe

description pid process target process

PID 2400 set thread context of 2636 2400 MAIN PRODUCT LIST.exe MAIN PRODUCT LIST.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2872	powershell.exe
2752	powershell.exe

description	pid	process	target process
PID 2400 set thread context of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MAIN PRODUCT LIST.exepowershell.exepowershell.exeschtasks.exeMAIN PRODUCT LIST.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAIN PRODUCT LIST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAIN PRODUCT LIST.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2360 schtasks.exe

pid	process
2360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

MAIN PRODUCT LIST.exepowershell.exepowershell.exeMAIN PRODUCT LIST.exe

pid	process
2400	MAIN PRODUCT LIST.exe
2400	MAIN PRODUCT LIST.exe
2400	MAIN PRODUCT LIST.exe
2872	powershell.exe
2752	powershell.exe
2400	MAIN PRODUCT LIST.exe
2636	MAIN PRODUCT LIST.exe
2636	MAIN PRODUCT LIST.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MAIN PRODUCT LIST.exepowershell.exepowershell.exeMAIN PRODUCT LIST.exe

description	pid	process
Token: SeDebugPrivilege	2400	MAIN PRODUCT LIST.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2636	MAIN PRODUCT LIST.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

MAIN PRODUCT LIST.exe

description	pid	process	target process
PID 2400 wrote to memory of 2872	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2872	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2872	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2872	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2752	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2752	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2752	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2752	2400	MAIN PRODUCT LIST.exe	powershell.exe
PID 2400 wrote to memory of 2360	2400	MAIN PRODUCT LIST.exe	schtasks.exe
PID 2400 wrote to memory of 2360	2400	MAIN PRODUCT LIST.exe	schtasks.exe
PID 2400 wrote to memory of 2360	2400	MAIN PRODUCT LIST.exe	schtasks.exe
PID 2400 wrote to memory of 2360	2400	MAIN PRODUCT LIST.exe	schtasks.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe
PID 2400 wrote to memory of 2636	2400	MAIN PRODUCT LIST.exe	MAIN PRODUCT LIST.exe

C:\Users\Admin\AppData\Local\Temp\MAIN PRODUCT LIST.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN PRODUCT LIST.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MAIN PRODUCT LIST.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xrdDQpXzPy.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xrdDQpXzPy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp158.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\MAIN PRODUCT LIST.exe
  "C:\Users\Admin\AppData\Local\Temp\MAIN PRODUCT LIST.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp158.tmp

Filesize
1KB

MD5
0c7bf4e5b9c1c861ae291660ffe612cf

SHA1
250058c1181db3612053c2e7db4bb7b9af5a1072

SHA256
f690f4b5e55f53cdb509b5e3a7449c527f7c1367cb7784af2630cf723e1b33a2

SHA512
216f9c4ab897d74def05f5968644a338d36c75818c90acbedd242603d0e525c44c45a562ccc3b7d15d073b5af56abfbf30789c01722f2f4fa99a5497ef42c313

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26B5.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26CA.tmp

Filesize
92KB

MD5
f98745d81e8b84f39630844a63afc1ee

SHA1
d7977c2dab5de25630f7d869f9b16a8502cd3bb3

SHA256
9c34e13f0d2852fb4a8a53a4727a59d24691a507edb6ff1965024a6147799a83

SHA512
e6b1bf12139e627d6aa2b25c9d7e8ebab1e86fc3025655bf88bc735413f55b10490f0237b8d11fd5db0eb6045f6176e93228c70d8e940a62ea4324816c31a3dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TK3479XST2OD0XZTF51N.temp

Filesize
7KB

MD5
05b43db05e93d3e79ca0c46703a2c9a9

SHA1
1ae58e047fb783327cc545eaf540ffa2c3840de3

SHA256
f22cb7e9f5c1a826d47f4d98d46f42b831ce1daae910975fc43c5a0143aff30b

SHA512
c984be53d55a4cc04e6d63cca1acfcb855cd9e4802f69cc7ec802fa756d9aa9e5266ec6ce0f3ba11ce4c5b1f7eb819288f25627fa4a482b9aeed314d0e5a296d

Download Submit
memory/2400-32-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-1-0x0000000000BC0000-0x0000000000C9A000-memory.dmp

Filesize
872KB

Download
memory/2400-2-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2400-3-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-4-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/2400-5-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-6-0x0000000004740000-0x00000000047A2000-memory.dmp

Filesize
392KB

Download
memory/2400-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/2636-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads