redline | 5522dd43e239218077b330930effb48aed071c2345e7fca106d14d321b7cf87d

General

Target

95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe
Size

115KB
MD5

95f576a6fab1f271650f41306a73ccf4
SHA1

3101f46dba9c3b671523fcd9c067aa4a2912bb7d
SHA256

5522dd43e239218077b330930effb48aed071c2345e7fca106d14d321b7cf87d
SHA512

fc2911936d1b2055d861def6711e2f7938189830b43f9a8b3d6fb062f588ae258fc420dddfe4bbe492f61fcfe6bfa5d89901f36c243173174b1db4880ad31dad
SSDEEP

1536:5ZlPUgQ07Km2APlPT66hfrQXXdBO/npYp78mGUnD5Kfxmo5g+uCwRiXHFMurEYX:5MgQ07KmHPZxUX6RY+mG2MpmDSmu

Score

10^/10

redline sectoprat @rusthacksfordumbs discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@rusthacksfordumbs

C2

51.254.69.209:48987

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2788-3-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2788-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2788-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2788-3-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2788-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2788-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	1320	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2788	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2792	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	31
PID 1320 wrote to memory of 2792	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	31
PID 1320 wrote to memory of 2792	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	31
PID 1320 wrote to memory of 2792	1320	95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95f576a6fab1f271650f41306a73ccf4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 52
  2⤵
  - Program crash
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-1-0x0000000000340000-0x0000000000440000-memory.dmp

Filesize
1024KB

Download
memory/2788-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-12-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2788-13-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-14-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2788-15-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing