redline | 49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe
Size

1.0MB
MD5

a08fedd1af1461cd057783b833b75c1a
SHA1

0422a45292fde8398a5a3f3f1a228b2d882075b5
SHA256

49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921
SHA512

07cc0e7ec0eeab10fcb3fa2e58231c366c0a999bfb2df0968253d5461e155d603a8224cb37e9a0dfc0a1e75c24a4cb86d25d0a06efdf23514744f6f9c511efdd
SSDEEP

24576:qSLX3jL0oSml1h4rZwFamT0Mr+GoJDgsKFlb9z9:REoNsIamT0bGcgvxx

Score

10^/10

redline sectoprat tony1008 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

tony1008

193.188.22.4:45689

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2744-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2744-35-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2744-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2744-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2744-35-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2744-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pHWBEogcsR.url	Sapete.exe.com

Executes dropped EXE 3 IoCs

pid	Process
2928	Sapete.exe.com
2828	Sapete.exe.com
2744	RegAsm.exe

Loads dropped DLL 4 IoCs

pid	Process
2936	cmd.exe
2928	Sapete.exe.com
2828	Sapete.exe.com
2744	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2744	2828	Sapete.exe.com	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sapete.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sapete.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2820	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2820	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2828	Sapete.exe.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2928	Sapete.exe.com
2928	Sapete.exe.com
2928	Sapete.exe.com
2828	Sapete.exe.com
2828	Sapete.exe.com
2828	Sapete.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2928	Sapete.exe.com
2928	Sapete.exe.com
2928	Sapete.exe.com
2828	Sapete.exe.com
2828	Sapete.exe.com
2828	Sapete.exe.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2160	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2160	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2160	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2160	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	30
PID 1760 wrote to memory of 1964	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	31
PID 1760 wrote to memory of 1964	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	31
PID 1760 wrote to memory of 1964	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	31
PID 1760 wrote to memory of 1964	1760	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2936	1964	cmd.exe	33
PID 1964 wrote to memory of 2936	1964	cmd.exe	33
PID 1964 wrote to memory of 2936	1964	cmd.exe	33
PID 1964 wrote to memory of 2936	1964	cmd.exe	33
PID 2936 wrote to memory of 2924	2936	cmd.exe	34
PID 2936 wrote to memory of 2924	2936	cmd.exe	34
PID 2936 wrote to memory of 2924	2936	cmd.exe	34
PID 2936 wrote to memory of 2924	2936	cmd.exe	34
PID 2936 wrote to memory of 2928	2936	cmd.exe	35
PID 2936 wrote to memory of 2928	2936	cmd.exe	35
PID 2936 wrote to memory of 2928	2936	cmd.exe	35
PID 2936 wrote to memory of 2928	2936	cmd.exe	35
PID 2936 wrote to memory of 2820	2936	cmd.exe	36
PID 2936 wrote to memory of 2820	2936	cmd.exe	36
PID 2936 wrote to memory of 2820	2936	cmd.exe	36
PID 2936 wrote to memory of 2820	2936	cmd.exe	36
PID 2928 wrote to memory of 2828	2928	Sapete.exe.com	37
PID 2928 wrote to memory of 2828	2928	Sapete.exe.com	37
PID 2928 wrote to memory of 2828	2928	Sapete.exe.com	37
PID 2928 wrote to memory of 2828	2928	Sapete.exe.com	37
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38
PID 2828 wrote to memory of 2744	2828	Sapete.exe.com	38

C:\Users\Admin\AppData\Local\Temp\a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Ogni.cab
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^kFkkCweteokIGxUGjOtmnesFfoGwECEIbjuYaFuyaLppmuaDjBQwmHGogFWzxwmADClxhWhHHYuNSiuoQrPrLC$" Mette.cab
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
      Sapete.exe.com L
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Amo.cab

Filesize
932KB

MD5
42b8dfcab48c591aa8038a87be160269

SHA1
e458c1f76385ac9429bc108b20212c386f36a6d9

SHA256
7c1594b00cc334b037f1659bbe8862da2c14d8bd21ed88ec47754152d034eb0c

SHA512
72e38458d38f4607c7e9820f84646d9aae151e951e2df7c9ed05a03c0c04d5f6974e981af081269a49378b1d44a6a036ee6f2ce35474ef0f700afb848816714c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Carne.cab

Filesize
100KB

MD5
0c427e6f16dc32614a39500f504cb381

SHA1
d55fe1964be896f2d8ca7a99d05474e5c4b53646

SHA256
12b0e9178895ce07ca693db69f66e02c2b82fdc226c1b26875858914ab8e63c5

SHA512
9eef44536f6675292fbf5d8edddbf2b66729340972275cc3a407917fb1992e69224aa66055fd3d4117678385a6626206ba73f57b28264ea67bee01ffd8f30d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mette.cab

Filesize
872KB

MD5
023ac056066caccddddf89f9f2d82f75

SHA1
bb84162b4c7faca2191e7337564ab6bb77c15c86

SHA256
d1b196714edee779c2b81c5c5ba32ca0ddbd4818d17df7ad00967eadcc8b8bbe

SHA512
2ab0af4d14b1b5191925b86108dcbc636cdf5e9b4379d2b56afe0836d1de70d1473cce8a7faa8857863ec93945afaf33eaffa196d02a728859e9084265127114

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ogni.cab

Filesize
528B

MD5
f942cd7ee1aa109106ad0de627cd56a9

SHA1
46ab21a3270770b9510f594fc33ff7628a17540c

SHA256
dd08a926408b1e7d0687f45fe57dcdb0d5e6d04e25a8c4de383ee2b2b69da009

SHA512
ce02b2f215334ce7c1ffe32899b9d614c0b31004af053dcf0aea484cd377d816f09f37c1e9a3cfb45a8ac99939011adbc2c81d2b6bd68cdf98067b208c74d68e

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2744-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2744-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2744-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download