redline | 9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578

General

Target

9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe
Size

520KB
MD5

a11581530fe0ee83ad07321f367b80f9
SHA1

4efbefada5b2245701d5df47980d6012ec320a94
SHA256

9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578
SHA512

569260b589a0b4bf24eff4d1db75a8bd1b3891844057104238c6c117c3a5191754e397c42faa785df3c00d6811bbd6cc52ff1ac86cdf973000a59fad1c4aad9a
SSDEEP

12288:0Yo7tqBC6U3hHi9LTDKvc9ru8CZS1fVPHxUhr:po7tqhMdeLtOZS19/x0

Score

10^/10

redline sectoprat hyce discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

hyce

C2

193.70.111.186:13484

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1032-27-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1032-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1032-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1032-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1032-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1032-27-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1032-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1032-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1032-22-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1032-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
2664	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2664	powershell.exe
2588	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1032	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2588	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	30
PID 2996 wrote to memory of 2588	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	30
PID 2996 wrote to memory of 2588	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	30
PID 2996 wrote to memory of 2588	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	30
PID 2996 wrote to memory of 2664	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	32
PID 2996 wrote to memory of 2664	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	32
PID 2996 wrote to memory of 2664	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	32
PID 2996 wrote to memory of 2664	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	32
PID 2996 wrote to memory of 2548	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	34
PID 2996 wrote to memory of 2548	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	34
PID 2996 wrote to memory of 2548	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	34
PID 2996 wrote to memory of 2548	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	34
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36
PID 2996 wrote to memory of 1032	2996	9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe	36

C:\Users\Admin\AppData\Local\Temp\9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe
"C:\Users\Admin\AppData\Local\Temp\9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PziEWpkpzmEuez.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PziEWpkpzmEuez" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75CC.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe
  "C:\Users\Admin\AppData\Local\Temp\9e24a45fbd62acc58bd0355ddf4c92f6fc7bddd7f82dbc81a744658b7c12b578.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp75CC.tmp

Filesize
1KB

MD5
96d8aec15d284c20428db6425072b569

SHA1
0d2fb6efa3e078b9d1655496784ccb32c7a33461

SHA256
62e3cfd722327a2f0577a0c414613516bfccd708d2d4246cac40b87c790fed23

SHA512
035b21e0c477d5accab1dc0e23345078d47c89a11c72170631fae09edad4b35beaa0276aebd4d4e3ba05adbc32b6d51152c244506495fc2f77c6a9f123648bf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V93BE1S8JK0FEOOHL4S6.temp

Filesize
7KB

MD5
e5c076031eab8834d982f1938fee884b

SHA1
8b34a9bf2cfd2ef10d002b309f33a1dd2d04e0ce

SHA256
2f59357cf6866b457710df4245c3893080d425812728714cdad8dda3f2e68c90

SHA512
ea818bf3cb87b947733067399018bdec3584ee620369222c6a2d6eea31445759540f08e66972512a5f86c5d2c0f4623da04d80b7075b9dc5fe18957f59fa3bba

Download Submit
memory/1032-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1032-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-4-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-5-0x0000000004D50000-0x0000000004DB2000-memory.dmp

Filesize
392KB

Download
memory/2996-28-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/2996-3-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2996-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-1-0x0000000001060000-0x00000000010E8000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads