redline | 1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64.exe
Size

768KB
MD5

9cc7e3f594de7fbe392b1ab4590f7a30
SHA1

7985bf11bd532322134f15524779c2ab97fb99dd
SHA256

1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64
SHA512

42abdb32eabcee0b7ea76a367a0bf005e21b26b7c1c03d02c7f7f7bc55d4a2ea5a31e9e61b757d3cafd7e76a26dc3163458f7638f094fcfa1b5e0a12618fe970
SSDEEP

12288:1paoy89TKFdcgviDi01Of+xLsdG2pjiTxUlJ8LEKShOMyMryAU9XdHTSczcBFkHf:1UzRb7W+hJ0r8yM9wdzSczcBFkHf

Score

10^/10

redline sectoprat @durak9876 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@Durak9876

95.181.152.5:46927

Attributes

auth_value
cdf3919a262c0d6ba99116b375d7551c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000360000-0x0000000000391000-memory.dmp	family_redline
behavioral1/memory/2424-8-0x0000000001FD0000-0x0000000001FF2000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000360000-0x0000000000391000-memory.dmp	family_sectoprat
behavioral1/memory/2424-8-0x0000000001FD0000-0x0000000001FF2000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64.exe

C:\Users\Admin\AppData\Local\Temp\1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64.exe
"C:\Users\Admin\AppData\Local\Temp\1effa8d05a3c2c4ab18b028595a886beb1311f50311228292f9546d0d73a5a64.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2424-0-0x0000000000360000-0x0000000000391000-memory.dmp

Filesize
196KB

Download
memory/2424-7-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2424-8-0x0000000001FD0000-0x0000000001FF2000-memory.dmp

Filesize
136KB

Download
memory/2424-9-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-10-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-11-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2424-12-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-13-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-14-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download