redline | 9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148

General

Target

9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
Size

1009KB
MD5

f434636b920cd5f6e9c2281d860e1849
SHA1

2d92e52974dc9ca25a8ed1f987ad706b9658050a
SHA256

9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148
SHA512

32ced4fe05b6255220b7379bf6d7d0604a502c56e0d13610624747af5c3495861088f65ff3d932559f5418e214c4919550510da22a68deb7bbd49e108e7397c6
SSDEEP

24576:dvvrR6K/pKSbGK5pCwPJN9JBpXvrR6K/pKSbGK5pCwPJN9JB5ZXF:dvDgKhGK5FNLBpTgKhGK5FNLBv1

Score

10^/10

redline sectoprat ytuploader [greenbin-card]discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

YTUploader [greenbin-card]

C2

greenbin-card.site:1026

Attributes

auth_value
30073e5da439091f4d55949b78fea690

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2240-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2240-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe

description	pid	process	target process
PID 4620 set thread context of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe

description	pid	process	target process
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
PID 4620 wrote to memory of 2240	4620	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe	9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe

C:\Users\Admin\AppData\Local\Temp\9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
"C:\Users\Admin\AppData\Local\Temp\9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe
  "C:\Users\Admin\AppData\Local\Temp\9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9fd518e53b841324fe208d61956d22a74684f20282000b5acceefda062cf5148.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/2240-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2240-22-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2240-21-0x0000000005310000-0x000000000535C000-memory.dmp

Filesize
304KB

Download
memory/2240-19-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/2240-20-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2240-18-0x00000000053A0000-0x00000000054AA000-memory.dmp

Filesize
1.0MB

Download
memory/2240-17-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2240-16-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/2240-15-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4620-5-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/4620-10-0x0000000006F90000-0x0000000006FD6000-memory.dmp

Filesize
280KB

Download
memory/4620-9-0x0000000006FF0000-0x000000000708C000-memory.dmp

Filesize
624KB

Download
memory/4620-14-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4620-8-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4620-7-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/4620-6-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/4620-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/4620-4-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4620-3-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/4620-2-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/4620-1-0x0000000000AE0000-0x0000000000BB8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads