redline | b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe
Size

719KB
MD5

cb1ec5ba1074408e40bcdcfd7ec3d52e
SHA1

650511091c20d144e6674b0aa6256dddb08cbe71
SHA256

b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28
SHA512

300dd5ac177afdb99f5aa8bb2c510b09ac9ab96e8969304a70cada0af57afd7003ebbbf5cad67ad632268da2c0469e12da407fddc01e746e2f7de319c093ab1f
SSDEEP

6144:A7Ye0biFuvf739mHQQjpbjpS8qTh7ph6juyk4xVPEacuFO+KMMmC+Jau7TObunel:A7YbvfQrR21rN/Fu9b4Ng7Fw

Score

10^/10

redline sectoprat 1.0.2.0 discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

1.0.2.0

185.183.32.227:51498

Attributes

auth_value
aae45f951b3721694f220729d6c8896b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1228-26-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1228-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1228-23-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1228-20-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1228-18-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1228-26-0x0000000000400000-0x0000000000432000-memory.dmp	family_sectoprat
behavioral1/memory/1228-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_sectoprat
behavioral1/memory/1228-23-0x0000000000400000-0x0000000000432000-memory.dmp	family_sectoprat
behavioral1/memory/1228-20-0x0000000000400000-0x0000000000432000-memory.dmp	family_sectoprat
behavioral1/memory/1228-18-0x0000000000400000-0x0000000000432000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2812	powershell.exe
2704	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

Madder.exeMadder.exe

pid	Process
2788	Madder.exe
1228	Madder.exe

Loads dropped DLL 3 IoCs

Processes:

cmd.exeMadder.exe

pid	Process
2872	cmd.exe
2872	cmd.exe
2788	Madder.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Madder.exe

description	pid	Process	procid_target
PID 2788 set thread context of 1228	2788	Madder.exe	37

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeMadder.exeb8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.execmd.execmd.exepowershell.exeMadder.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2812	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.execmd.execmd.exeMadder.exe

description	pid	Process	procid_target
PID 2800 wrote to memory of 2808	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	30
PID 2800 wrote to memory of 2808	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	30
PID 2800 wrote to memory of 2808	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	30
PID 2800 wrote to memory of 2808	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	30
PID 2800 wrote to memory of 2872	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	31
PID 2800 wrote to memory of 2872	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	31
PID 2800 wrote to memory of 2872	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	31
PID 2800 wrote to memory of 2872	2800	b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe	31
PID 2808 wrote to memory of 2812	2808	cmd.exe	34
PID 2808 wrote to memory of 2812	2808	cmd.exe	34
PID 2808 wrote to memory of 2812	2808	cmd.exe	34
PID 2808 wrote to memory of 2812	2808	cmd.exe	34
PID 2872 wrote to memory of 2788	2872	cmd.exe	35
PID 2872 wrote to memory of 2788	2872	cmd.exe	35
PID 2872 wrote to memory of 2788	2872	cmd.exe	35
PID 2872 wrote to memory of 2788	2872	cmd.exe	35
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2808 wrote to memory of 2704	2808	cmd.exe	38
PID 2808 wrote to memory of 2704	2808	cmd.exe	38
PID 2808 wrote to memory of 2704	2808	cmd.exe	38
PID 2808 wrote to memory of 2704	2808	cmd.exe	38
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37
PID 2788 wrote to memory of 1228	2788	Madder.exe	37

C:\Users\Admin\AppData\Local\Temp\b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe
"C:\Users\Admin\AppData\Local\Temp\b8fc501eb333ec3e8e4aa801e739f119ffe667a77f6f7476e2543da1b1c3fb28.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\Madder.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\Madder.exe
    C:\Users\Admin\AppData\Local\Temp\Madder.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\Madder.exe
      C:\Users\Admin\AppData\Local\Temp\Madder.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1b0856475bb7b0adb29527ad86bd1c8a

SHA1
079dbc3e82669b96e58d35873cfc87eb802e5cd0

SHA256
64ec442a07d37b7e7d1725b8b94885becbb95608e8e19093abcf866803d7445a

SHA512
005ed47b7587813a6f3704dc6dd32fb1b88e6bc457246091c9204b4ee6d2c14c922fa42d621481cc88b1d93f93140ba0e7b16dc29f2803bb55417fb408d28db2

Download Submit
\Users\Admin\AppData\Local\Temp\Madder.exe

Filesize
648KB

MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
memory/1228-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1228-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2788-7-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download