redline | f8ca73244af9fda654d6a50513c75afe9a401fb04795547f0169cf3912c47293

General

Target

926f334c36cd988740db7855f3548009_JaffaCakes118.exe
Size

364KB
MD5

926f334c36cd988740db7855f3548009
SHA1

38930cbf15d11d4a041d5b369ec169ed50ae86e8
SHA256

f8ca73244af9fda654d6a50513c75afe9a401fb04795547f0169cf3912c47293
SHA512

edbdd0c5a4760b7bf7aa369ece597b97140393c2ee7a878b85375fa1ca186284fa56ae5dc77d599fe89cf824e5c659106253c324004af6ca288b0e7c6c320c6c
SSDEEP

6144:OD53VYhMxqGpeo7cBZ1S5DMKplFgCdz9vniQqsFTybyM+LTi3coKiR+YMPK0:lhaqG2BZ1Sd/gCdz1niLsFGOq3PR+YR0

Score

10^/10

redline sectoprat 806new discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

806new

C2

erideeiles.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2904-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2904-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4684 set thread context of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	926f334c36cd988740db7855f3548009_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	926f334c36cd988740db7855f3548009_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe
Token: SeDebugPrivilege	2904	926f334c36cd988740db7855f3548009_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 1320	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	89
PID 4684 wrote to memory of 1320	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	89
PID 4684 wrote to memory of 1320	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	89
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90
PID 4684 wrote to memory of 2904	4684	926f334c36cd988740db7855f3548009_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\926f334c36cd988740db7855f3548009_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\926f334c36cd988740db7855f3548009_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\926f334c36cd988740db7855f3548009_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\926f334c36cd988740db7855f3548009_JaffaCakes118.exe
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\926f334c36cd988740db7855f3548009_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\926f334c36cd988740db7855f3548009_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\926f334c36cd988740db7855f3548009_JaffaCakes118.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
memory/2904-16-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/2904-15-0x00000000031C0000-0x00000000031D2000-memory.dmp

Filesize
72KB

Download
memory/2904-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2904-19-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/2904-18-0x00000000056C0000-0x000000000570C000-memory.dmp

Filesize
304KB

Download
memory/2904-17-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2904-12-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/2904-13-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2904-20-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4684-3-0x0000000004A00000-0x0000000004A92000-memory.dmp

Filesize
584KB

Download
memory/4684-14-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4684-8-0x0000000004C00000-0x0000000004C28000-memory.dmp

Filesize
160KB

Download
memory/4684-7-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4684-2-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/4684-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/4684-6-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/4684-5-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/4684-4-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4684-1-0x0000000000010000-0x0000000000070000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing