redline | fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe
Size

255KB
MD5

854a42e9a581b2a33ceda0f3d3dd2f04
SHA1

a100a400e570039823c4fd79dc470c13ccfbb266
SHA256

fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80
SHA512

569dc63dc90b1a6efebb9130d2dce133d3600937a1a6440575037b2b8d36b6aff8c607b86ba2ff0192324ed9cbae519e8a4aa3d9dd6e4b3b6f9d8483e043e1c0
SSDEEP

3072:y1hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfHs/FtMtO2NcSINUc9nR:y1hnJ6D1IxPtUyNrsHdmqEfETrSc9nCu

Score

10^/10

redline sectoprat xworm metin defense_evasion discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Metin

duclog23.duckdns.org:37552

Extracted

Family

xworm

duclog23.duckdns.org:7000

Attributes

Install_directory
%AppData%
install_file
Chrome.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015f4e-7.dat	family_xworm
behavioral1/memory/2128-15-0x0000000000FB0000-0x0000000000FC4000-memory.dmp	family_xworm
behavioral1/memory/1364-48-0x0000000001360000-0x0000000001374000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001277d-8.dat	family_redline
behavioral1/memory/2864-16-0x0000000000ED0000-0x0000000000EEE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001277d-8.dat	family_sectoprat
behavioral1/memory/2864-16-0x0000000000ED0000-0x0000000000EEE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2424	powershell.exe
2000	powershell.exe
2744	powershell.exe
3060	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe

Executes dropped EXE 5 IoCs

pid	Process
2864	M2.exe
2128	Metin.exe
1364	Chrome.exe
992	Chrome.exe
2964	Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe
2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Metin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1232	powershell.exe
2424	powershell.exe
2000	powershell.exe
2744	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	Metin.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2864	M2.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2128	Metin.exe
Token: SeDebugPrivilege	1364	Chrome.exe
Token: SeDebugPrivilege	992	Chrome.exe
Token: SeDebugPrivilege	2964	Chrome.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1232	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	31
PID 2240 wrote to memory of 1232	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	31
PID 2240 wrote to memory of 1232	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	31
PID 2240 wrote to memory of 1232	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	31
PID 2240 wrote to memory of 2864	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	33
PID 2240 wrote to memory of 2864	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	33
PID 2240 wrote to memory of 2864	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	33
PID 2240 wrote to memory of 2864	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	33
PID 2240 wrote to memory of 2128	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	34
PID 2240 wrote to memory of 2128	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	34
PID 2240 wrote to memory of 2128	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	34
PID 2240 wrote to memory of 2128	2240	fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe	34
PID 2128 wrote to memory of 2424	2128	Metin.exe	37
PID 2128 wrote to memory of 2424	2128	Metin.exe	37
PID 2128 wrote to memory of 2424	2128	Metin.exe	37
PID 2128 wrote to memory of 2000	2128	Metin.exe	39
PID 2128 wrote to memory of 2000	2128	Metin.exe	39
PID 2128 wrote to memory of 2000	2128	Metin.exe	39
PID 2128 wrote to memory of 2744	2128	Metin.exe	41
PID 2128 wrote to memory of 2744	2128	Metin.exe	41
PID 2128 wrote to memory of 2744	2128	Metin.exe	41
PID 2128 wrote to memory of 3060	2128	Metin.exe	43
PID 2128 wrote to memory of 3060	2128	Metin.exe	43
PID 2128 wrote to memory of 3060	2128	Metin.exe	43
PID 2128 wrote to memory of 1760	2128	Metin.exe	45
PID 2128 wrote to memory of 1760	2128	Metin.exe	45
PID 2128 wrote to memory of 1760	2128	Metin.exe	45
PID 2104 wrote to memory of 1364	2104	taskeng.exe	48
PID 2104 wrote to memory of 1364	2104	taskeng.exe	48
PID 2104 wrote to memory of 1364	2104	taskeng.exe	48
PID 2104 wrote to memory of 992	2104	taskeng.exe	49
PID 2104 wrote to memory of 992	2104	taskeng.exe	49
PID 2104 wrote to memory of 992	2104	taskeng.exe	49
PID 2104 wrote to memory of 2964	2104	taskeng.exe	51
PID 2104 wrote to memory of 2964	2104	taskeng.exe	51
PID 2104 wrote to memory of 2964	2104	taskeng.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe
"C:\Users\Admin\AppData\Local\Temp\fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Users\Admin\AppData\Roaming\M2.exe
  "C:\Users\Admin\AppData\Roaming\M2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Users\Admin\AppData\Roaming\Metin.exe
  "C:\Users\Admin\AppData\Roaming\Metin.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1760

C:\Windows\system32\taskeng.exe
taskeng.exe {D72226E6-016A-4E98-8FEA-E59FD8DE03E1} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\M2.exe

Filesize
95KB

MD5
2598b5fee38d9c0979f009e77f94ea33

SHA1
9c2c0f0734fbf16853de911868024dfbed91e5ec

SHA256
00a709baca231f15267526d7b5db11cd94b0089ed6cfd1667a1ff2ebd584c266

SHA512
d6fa07fdfa6493c3abe95c650dca114b1737d8812fe86476ef8afbb1d34e50b537821a7958acdc243246484fc4f28dd208db4328663bbc22ec79ae34f3340c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GJL8AZX3BLRB5KUSBQJF.temp

Filesize
7KB

MD5
128ad6cff5bb33b1fa221d93c1a38dca

SHA1
19a9c20a423761563b32fb1a92a6018bfe97e8c4

SHA256
8972f855bea950e9b5c8525236217801cec63e1222b785a0e35d2df8f015faa1

SHA512
f2fb70b728311d9c425c6262c52241df172af7285a400f8156e3ef18bd595b8b82879e9437446a8f975aa82084752c5345d669358fec50de4d18da20016a0120

Download Submit
\Users\Admin\AppData\Roaming\Metin.exe

Filesize
51KB

MD5
1d846637aa409d6dd4fd14f70a63f907

SHA1
a0f494b321ef5bd5b95f60d4ee9e4ae836d73b8a

SHA256
08a5ab51f8eee96d3837aaef4d74bf672d937056118003ecfa0e4df9dae49125

SHA512
259bd4d63bd69cdfd9a29303dc5ef3174136353daad23747c4589ed5b760d9905285211850bf49fde37c0ba355f3e463df6633a518affb270cfeb9f24885508c

Download Submit
memory/1364-48-0x0000000001360000-0x0000000001374000-memory.dmp

Filesize
80KB

Download
memory/2000-29-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2000-30-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2128-15-0x0000000000FB0000-0x0000000000FC4000-memory.dmp

Filesize
80KB

Download
memory/2424-22-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2424-23-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2864-16-0x0000000000ED0000-0x0000000000EEE000-memory.dmp

Filesize
120KB

Download