redline | fe06a9c922af3f3424b89a2181517f2856fea026a234d5b55307cad89b606a53

General

Target

LIST PURCHASING SAMPLE.exe
Size

612KB
MD5

ecd159d26376dd7d518c1dceb594c2b6
SHA1

60510c6bc575099d54d45cb488b55fe3e119598d
SHA256

bf2fc65aa2d6ca7843ddfb3a059dbfe734aad5c9ca1daa1789bec5e3ff66b266
SHA512

7b103b97a26bca47993212eb229920fff93caab667c682c9c3b93b52db4108df310d007ff9063ebc8036aeb748f989cf0d9a42de544d85a3a6da52e63b469161
SSDEEP

12288:KRQIJ0r1ixmzU1OApFMH2CPw7oRttTI27rAdcpCJVMgnkR:wJo1ikOiHxI76nTr78dcpCJVTy

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.252:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2248-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2248-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2248-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2248-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2248-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2248-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2248-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2248-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2248-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2248-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe
2772	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 2248	2620	LIST PURCHASING SAMPLE.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LIST PURCHASING SAMPLE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LIST PURCHASING SAMPLE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2620	LIST PURCHASING SAMPLE.exe
2620	LIST PURCHASING SAMPLE.exe
2620	LIST PURCHASING SAMPLE.exe
2620	LIST PURCHASING SAMPLE.exe
2748	powershell.exe
2772	powershell.exe
2248	LIST PURCHASING SAMPLE.exe
2248	LIST PURCHASING SAMPLE.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	LIST PURCHASING SAMPLE.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2248	LIST PURCHASING SAMPLE.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2772	2620	LIST PURCHASING SAMPLE.exe	30
PID 2620 wrote to memory of 2772	2620	LIST PURCHASING SAMPLE.exe	30
PID 2620 wrote to memory of 2772	2620	LIST PURCHASING SAMPLE.exe	30
PID 2620 wrote to memory of 2772	2620	LIST PURCHASING SAMPLE.exe	30
PID 2620 wrote to memory of 2748	2620	LIST PURCHASING SAMPLE.exe	32
PID 2620 wrote to memory of 2748	2620	LIST PURCHASING SAMPLE.exe	32
PID 2620 wrote to memory of 2748	2620	LIST PURCHASING SAMPLE.exe	32
PID 2620 wrote to memory of 2748	2620	LIST PURCHASING SAMPLE.exe	32
PID 2620 wrote to memory of 2732	2620	LIST PURCHASING SAMPLE.exe	34
PID 2620 wrote to memory of 2732	2620	LIST PURCHASING SAMPLE.exe	34
PID 2620 wrote to memory of 2732	2620	LIST PURCHASING SAMPLE.exe	34
PID 2620 wrote to memory of 2732	2620	LIST PURCHASING SAMPLE.exe	34
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36
PID 2620 wrote to memory of 2248	2620	LIST PURCHASING SAMPLE.exe	36

C:\Users\Admin\AppData\Local\Temp\LIST PURCHASING SAMPLE.exe
"C:\Users\Admin\AppData\Local\Temp\LIST PURCHASING SAMPLE.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LIST PURCHASING SAMPLE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GKiAUoOhepV.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GKiAUoOhepV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7021.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\LIST PURCHASING SAMPLE.exe
  "C:\Users\Admin\AppData\Local\Temp\LIST PURCHASING SAMPLE.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7021.tmp

Filesize
1KB

MD5
2e3104520b7e24330778cc5e5487e352

SHA1
1ef966ffb61cb9449a4198447b66fbb4efa52f83

SHA256
a2db5caccc873110fe0840e22669b20db5d36a5f882c64dd50f84bbcfb27d30b

SHA512
fad5609652464fe69e5cd61a583f35df9421de93d19c9f35cba1e597334870cd75cdba72f61138442ce711096190bedc084b0cda28af7519a8a5d2a3051612c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9ACE.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AE4.tmp

Filesize
92KB

MD5
f98745d81e8b84f39630844a63afc1ee

SHA1
d7977c2dab5de25630f7d869f9b16a8502cd3bb3

SHA256
9c34e13f0d2852fb4a8a53a4727a59d24691a507edb6ff1965024a6147799a83

SHA512
e6b1bf12139e627d6aa2b25c9d7e8ebab1e86fc3025655bf88bc735413f55b10490f0237b8d11fd5db0eb6045f6176e93228c70d8e940a62ea4324816c31a3dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1NNIISN2W1LP89VXLOEQ.temp

Filesize
7KB

MD5
f26371880d2ab8c394d636204e6b366a

SHA1
6150abb1124d5223bfcc81e7f90a1e949636b991

SHA256
d9d0be1857e8b8bb6178785f8ca8a0f6d603b17433ba48d58829494ae11b471c

SHA512
d3d7545d9c0c0d6fdc67c32dc7a71bbb0892806d09c72d223cbff258178c1cb75679fd4b212501e8da1884f3a6e631aa51808b2bd67fccc01d2ce934758acb47

Download Submit
memory/2248-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-3-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2620-4-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2620-5-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-0-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2620-6-0x0000000000B30000-0x0000000000B92000-memory.dmp

Filesize
392KB

Download
memory/2620-32-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-2-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-1-0x0000000001030000-0x00000000010CA000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads