redline | 7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43

General

Target

RFQ_TFS-1508-AL NASR ENGINEERING.exe
Size

2.7MB
MD5

51e2a4cf52a06bff7b50826173d6a0ad
SHA1

d5450d3259df08a3d0c0a0b91b586e8532fab2e0
SHA256

7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43
SHA512

95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa
SSDEEP

12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV

Score

10^/10

redline sectoprat hyce discovery evasion execution infostealer rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

hyce

C2

193.70.111.186:13484

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2664-20-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2664-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2664-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2664-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2664-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2664-20-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2664-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2664-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2664-21-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2664-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

RFQ_TFS-1508-AL NASR ENGINEERING.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RFQ_TFS-1508-AL NASR ENGINEERING.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2808 powershell.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2808	powershell.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RFQ_TFS-1508-AL NASR ENGINEERING.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RFQ_TFS-1508-AL NASR ENGINEERING.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RFQ_TFS-1508-AL NASR ENGINEERING.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_TFS-1508-AL NASR ENGINEERING.exe

description pid process target process

PID 2068 set thread context of 2664 2068 RFQ_TFS-1508-AL NASR ENGINEERING.exe installutil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

installutil.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installutil.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeinstallutil.exe

pid process

2808 powershell.exe
2664 installutil.exe
2664 installutil.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeinstallutil.exe

description pid process

Token: SeDebugPrivilege 2808 powershell.exe
Token: SeDebugPrivilege 2664 installutil.exe

description	pid	process	target process
PID 2068 set thread context of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe

pid	process
2808	powershell.exe
2664	installutil.exe
2664	installutil.exe

description	pid	process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2664	installutil.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RFQ_TFS-1508-AL NASR ENGINEERING.exe

description	pid	process	target process
PID 2068 wrote to memory of 2808	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	powershell.exe
PID 2068 wrote to memory of 2808	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	powershell.exe
PID 2068 wrote to memory of 2808	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	powershell.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2664	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	installutil.exe
PID 2068 wrote to memory of 2600	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	WerFault.exe
PID 2068 wrote to memory of 2600	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	WerFault.exe
PID 2068 wrote to memory of 2600	2068	RFQ_TFS-1508-AL NASR ENGINEERING.exe	WerFault.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

RFQ_TFS-1508-AL NASR ENGINEERING.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RFQ_TFS-1508-AL NASR ENGINEERING.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2068 -s 756
  2⤵
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2A6C.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A82.tmp

Filesize
92KB

MD5
102841a614a648b375e94e751611b38f

SHA1
1368e0d6d73fa3cee946bdbf474f577afffe2a43

SHA256
c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264

SHA512
ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

Download Submit
memory/2068-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2068-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-3-0x0000000000520000-0x0000000000590000-memory.dmp

Filesize
448KB

Download
memory/2068-23-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2808-10-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2808-9-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2808-8-0x0000000002E70000-0x0000000002EF0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads