redline | eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114

General

Target

Eclipse RAT.zip
Size

12.5MB
MD5

30364181c2174678b94d74fcbd16f89d
SHA1

640ca938cd1497f0f7bff46de48d9765949c4214
SHA256

eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114
SHA512

d916e950d80f95d4061b1be6ec829f93631aa92272545b79c46d8bc7f01ba72e84a6e6a38a47ee7cd6723547de7d2c71ecde389154aec5c0a0efd2fa55bf8652
SSDEEP

393216:2xDA4Ulx6CHtKlswnb1q8EptEW7Zb2KOyUbYVNK:IUlxHHGd/E75ZSKjNK

Score

10^/10

redline rhadamanthys discovery infostealer stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://95.214.55.177:2474/fae624c5418d6/black.api

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4932-143-0x0000000000F90000-0x0000000000FE6000-memory.dmp	family_redline

Redline family
redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

main.exe

description pid process target process

PID 3724 created 2864 3724 main.exe sihost.exe
Executes dropped EXE 4 IoCs

Processes:

Eclipse.exebuild.exeEclipse.exemain.exe

pid process

3656 Eclipse.exe
4932 build.exe
3112 Eclipse.exe
3724 main.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3724 created 2864	3724	main.exe	sihost.exe

pid	process
3656	Eclipse.exe
4932	build.exe
3112	Eclipse.exe
3724	main.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

build.exeEclipse.exemain.exedialer.exeEclipse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

main.exedialer.exe

pid process

3724 main.exe
3724 main.exe
4692 dialer.exe
4692 dialer.exe
4692 dialer.exe
4692 dialer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

432 7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

pid	process
3724	main.exe
3724	main.exe
4692	dialer.exe
4692	dialer.exe
4692	dialer.exe
4692	dialer.exe

pid	process
432	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	432	7zFM.exe
Token: 35	432	7zFM.exe
Token: SeSecurityPrivilege	432	7zFM.exe
Token: SeSecurityPrivilege	432	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

432 7zFM.exe
432 7zFM.exe
432 7zFM.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

2404 MiniSearchHost.exe

pid	process
432	7zFM.exe
432	7zFM.exe
432	7zFM.exe

pid	process
2404	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Eclipse.exeEclipse.exemain.exe

description	pid	process	target process
PID 3656 wrote to memory of 4932	3656	Eclipse.exe	build.exe
PID 3656 wrote to memory of 4932	3656	Eclipse.exe	build.exe
PID 3656 wrote to memory of 4932	3656	Eclipse.exe	build.exe
PID 3656 wrote to memory of 3112	3656	Eclipse.exe	Eclipse.exe
PID 3656 wrote to memory of 3112	3656	Eclipse.exe	Eclipse.exe
PID 3656 wrote to memory of 3112	3656	Eclipse.exe	Eclipse.exe
PID 3112 wrote to memory of 3724	3112	Eclipse.exe	main.exe
PID 3112 wrote to memory of 3724	3112	Eclipse.exe	main.exe
PID 3112 wrote to memory of 3724	3112	Eclipse.exe	main.exe
PID 3724 wrote to memory of 4692	3724	main.exe	dialer.exe
PID 3724 wrote to memory of 4692	3724	main.exe	dialer.exe
PID 3724 wrote to memory of 4692	3724	main.exe	dialer.exe
PID 3724 wrote to memory of 4692	3724	main.exe	dialer.exe
PID 3724 wrote to memory of 4692	3724	main.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2864
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4692

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Eclipse RAT.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:432

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3056

C:\Users\Admin\Desktop\Eclipse RAT\Eclipse.exe
"C:\Users\Admin\Desktop\Eclipse RAT\Eclipse.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
  "C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
711f1a880c08e1f7867f1bdd117320b7

SHA1
50c2d0859f6fd41024d486e2ab537507b975991d

SHA256
f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

SHA512
885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

Filesize
11.6MB

MD5
d1b974d3816357532a0de6b388c5c361

SHA1
fef9e938027e649ebbcffb074c65d46b2d0a1621

SHA256
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

SHA512
c4025fd2cc9c08c7319fc9574913d793954ba93b01288a5f03cf12beeaa40617c182f850ab40c1be434c80024632f395a355622f1bc4d0ce4dae987d43868f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
448KB

MD5
e1e28c3acf184aa364c9ed9a30ab7289

SHA1
1a173a6f4ec39fe467f1b4b91c9fad794167ac1c

SHA256
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306

SHA512
e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

Download Submit
C:\Users\Admin\Desktop\Eclipse RAT\Eclipse.exe

Filesize
12.1MB

MD5
e94abe514202de0a3e24c0f45ccea8a6

SHA1
27770fa35ea2ca6e1cd87f669e21f5e29cfaa381

SHA256
c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

SHA512
1fe72a35e6e0da642c42848d5009538ab97d5e833466abd25f2aa03e96f8b637a2a9a30054c8ebdf4cdf80570e39f387c9b6a535105a3e9b36b846570114c0d3

Download Submit
memory/3112-158-0x0000000000400000-0x0000000000F9C000-memory.dmp

Filesize
11.6MB

Download
memory/3656-140-0x0000000000400000-0x0000000001020000-memory.dmp

Filesize
12.1MB

Download
memory/3724-159-0x00000000002A0000-0x0000000000328000-memory.dmp

Filesize
544KB

Download
memory/3724-171-0x0000000077990000-0x0000000077BE2000-memory.dmp

Filesize
2.3MB

Download
memory/3724-173-0x00000000002A0000-0x0000000000328000-memory.dmp

Filesize
544KB

Download
memory/3724-167-0x0000000003610000-0x0000000003A10000-memory.dmp

Filesize
4.0MB

Download
memory/3724-168-0x0000000003610000-0x0000000003A10000-memory.dmp

Filesize
4.0MB

Download
memory/3724-169-0x00007FFB83980000-0x00007FFB83B89000-memory.dmp

Filesize
2.0MB

Download
memory/4692-178-0x0000000077990000-0x0000000077BE2000-memory.dmp

Filesize
2.3MB

Download
memory/4692-176-0x00007FFB83980000-0x00007FFB83B89000-memory.dmp

Filesize
2.0MB

Download
memory/4692-175-0x0000000002B70000-0x0000000002F70000-memory.dmp

Filesize
4.0MB

Download
memory/4692-172-0x0000000000E60000-0x0000000000E69000-memory.dmp

Filesize
36KB

Download
memory/4932-143-0x0000000000F90000-0x0000000000FE6000-memory.dmp

Filesize
344KB

Download
memory/4932-164-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/4932-163-0x0000000005740000-0x000000000577C000-memory.dmp

Filesize
240KB

Download
memory/4932-162-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/4932-161-0x00000000056C0000-0x00000000056D2000-memory.dmp

Filesize
72KB

Download
memory/4932-160-0x0000000005D60000-0x0000000006378000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads