redline | 325e22d8dba548d64047458fde7d8dda2fcfcc1e711f0dc46630c9750dd4ea9f

General

Target

e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
Size

2.3MB
MD5

e222be0565282bbd796d02f502b3940e
SHA1

e3f8f52b25d2e9d32ec0b1fa66fab8979c84be3a
SHA256

325e22d8dba548d64047458fde7d8dda2fcfcc1e711f0dc46630c9750dd4ea9f
SHA512

947bd604839ba08cc95018bbeb2c18473ea86a52814f3bd8d8d9cb4e478735253d34e83bfa7cdd06a8524b0b3124ed6c373cd4eb17cf3b4397cba90abcc3a6df
SSDEEP

49152:55+hFiL/0cAr+wWZVuxTrm2PUf26RUSVT3MIUlf2xiz8lVHTIioOFZQ+0:55aFiL/07SwWZAx3Vcf2UZ62xiqZ70

Score

10^/10

redline sectoprat @p1pk466 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@p1pk466

C2

45.14.49.109:54819

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000186ee-42.dat	family_redline
behavioral1/memory/2632-43-0x00000000010A0000-0x00000000010BE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000186ee-42.dat	family_sectoprat
behavioral1/memory/2632-43-0x00000000010A0000-0x00000000010BE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 4 IoCs

pid	Process
2576	7z.exe
1248	7z.exe
2684	7z.exe
2632	@p1pk466.exe

Loads dropped DLL 6 IoCs

pid	Process
2880	cmd.exe
2576	7z.exe
2880	cmd.exe
1248	7z.exe
2880	cmd.exe
2684	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@p1pk466.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2632	@p1pk466.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2576	7z.exe
Token: 35	2576	7z.exe
Token: SeSecurityPrivilege	2576	7z.exe
Token: SeSecurityPrivilege	2576	7z.exe
Token: SeRestorePrivilege	1248	7z.exe
Token: 35	1248	7z.exe
Token: SeSecurityPrivilege	1248	7z.exe
Token: SeSecurityPrivilege	1248	7z.exe
Token: SeRestorePrivilege	2684	7z.exe
Token: 35	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeDebugPrivilege	2632	@p1pk466.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2880	2872	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2880	2872	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2880	2872	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2880	2872	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2948	2880	cmd.exe	30
PID 2880 wrote to memory of 2948	2880	cmd.exe	30
PID 2880 wrote to memory of 2948	2880	cmd.exe	30
PID 2880 wrote to memory of 2576	2880	cmd.exe	31
PID 2880 wrote to memory of 2576	2880	cmd.exe	31
PID 2880 wrote to memory of 2576	2880	cmd.exe	31
PID 2880 wrote to memory of 1248	2880	cmd.exe	32
PID 2880 wrote to memory of 1248	2880	cmd.exe	32
PID 2880 wrote to memory of 1248	2880	cmd.exe	32
PID 2880 wrote to memory of 2684	2880	cmd.exe	33
PID 2880 wrote to memory of 2684	2880	cmd.exe	33
PID 2880 wrote to memory of 2684	2880	cmd.exe	33
PID 2880 wrote to memory of 2600	2880	cmd.exe	34
PID 2880 wrote to memory of 2600	2880	cmd.exe	34
PID 2880 wrote to memory of 2600	2880	cmd.exe	34
PID 2880 wrote to memory of 2632	2880	cmd.exe	35
PID 2880 wrote to memory of 2632	2880	cmd.exe	35
PID 2880 wrote to memory of 2632	2880	cmd.exe	35
PID 2880 wrote to memory of 2632	2880	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2600	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e file.zip -p -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\system32\attrib.exe
    attrib +H "@p1pk466.exe"
    3⤵
    - Views/modifies file attributes
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\svchost\@p1pk466.exe
    "@p1pk466.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\@p1pk466.exe

Filesize
100KB

MD5
c925d81a2dd75773b97e6a8d13f6fb4b

SHA1
b6dcd52b9e9a403622aebe65b40e56b22fa98d86

SHA256
0e4c8e36333ce5f43f665d0cb82ce84c4a37a28a0682264e4fa953d5ad6a6ad4

SHA512
c82838e6b1cd6b401749c51aac8f53ff5ddebc3c33fffc1d3700231c7b4333e0506ce3881e059e87eb7bcf1424af800b051ba9a51a8b691f542dd58adad3f5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

Filesize
2.0MB

MD5
5df9e79bb04b19fcab6b85a73413be85

SHA1
430f1a97ffe91b03594a8713142b065b786c7083

SHA256
99ea3b24d8ae6c5c7f60aa3672323cf63e5bc5cb62dafc753c798f91ecb05201

SHA512
b62b1a720e50d774515aa3522b5dbd66bbfb6220b6689cb5a9380b3aa1db5b97f85cc6c538c7f509509e7e70b6f58c9934236d495b19fbafba33bd4d2e71b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

Filesize
40KB

MD5
4254c4b84d63195c954dc5a3279f7b95

SHA1
e06d63515ce330877c64c502ccbe8fe7a934050d

SHA256
860e803573dfc9db7acd05fae0b83c952ac97d4afb3e6c90bfc4ebdca8839dce

SHA512
608034e95ac3227e7815445db0f42fb4a7cb9806ad4b66ba533ea25ca7be43a6ae742d2a0750da1db01a08c926c928e35325b3cebc78d01d1d2b04856b10d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

Filesize
1.5MB

MD5
109887f17629acd9fe674602f268a5ad

SHA1
69784340bd71cc64cfce4f22f27071ca342d9ec1

SHA256
bfd112804ac9a57132537ae209236284f79eea7c154f99288889fa678d0f9761

SHA512
1408cea8a0358567179ff0438b62dec12569f4cd8c3a4e8bf1f1aca67f3bc012330a974ea86d76338831c0475f6e2424c0654f30c8c958c2cece02318f6a4bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

Filesize
1.5MB

MD5
d59bcada5b0f85c3ea964411e2c07a14

SHA1
4d09caebb39f3fa8052c1aed1d1fb8e168eaf2d8

SHA256
a1b94fafd51679a362fe826747a07c79b2f8d4014eb025f1dd36d82c119690ae

SHA512
b9725f76db5e08a5d9b3dd7e699327f633891224e5e02efe92f9d968c192e5b004bba4a29b19b3dd6d93485280c48fc2786874b63ff9bd9f8ae4e583a778c770

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

Filesize
452B

MD5
0ff61ab3b929d84c244cc237695b19e9

SHA1
f2cd2da60c8477707de03cd761004a9f519c8b9e

SHA256
e78b5a017124a16b0c5c53bb390a70afc894369a296baee32fd59a5a78ec5796

SHA512
2648162d627cdc26314b47933da41b80d7be60c6247e6759d642aee422384fd7d3fad01627ecb9fe4451a9dc15c53c0fb1d1ebec47ad4f3d25e6bf43b69a9a5a

Download Submit
memory/2632-43-0x00000000010A0000-0x00000000010BE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing