redline | 325e22d8dba548d64047458fde7d8dda2fcfcc1e711f0dc46630c9750dd4ea9f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2024, 15:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
Size

2.3MB
MD5

e222be0565282bbd796d02f502b3940e
SHA1

e3f8f52b25d2e9d32ec0b1fa66fab8979c84be3a
SHA256

325e22d8dba548d64047458fde7d8dda2fcfcc1e711f0dc46630c9750dd4ea9f
SHA512

947bd604839ba08cc95018bbeb2c18473ea86a52814f3bd8d8d9cb4e478735253d34e83bfa7cdd06a8524b0b3124ed6c373cd4eb17cf3b4397cba90abcc3a6df
SSDEEP

49152:55+hFiL/0cAr+wWZVuxTrm2PUf26RUSVT3MIUlf2xiz8lVHTIioOFZQ+0:55aFiL/07SwWZAx3Vcf2UZ62xiqZ70

Score

10^/10

redline sectoprat @p1pk466 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@p1pk466

45.14.49.109:54819

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9e-32.dat	family_redline
behavioral2/memory/2328-35-0x00000000006F0000-0x000000000070E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9e-32.dat	family_sectoprat
behavioral2/memory/2328-35-0x00000000006F0000-0x000000000070E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3460	7z.exe
1484	7z.exe
3164	7z.exe
2328	@p1pk466.exe

Loads dropped DLL 3 IoCs

pid	Process
3460	7z.exe
1484	7z.exe
3164	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@p1pk466.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	3460	7z.exe
Token: 35	3460	7z.exe
Token: SeSecurityPrivilege	3460	7z.exe
Token: SeSecurityPrivilege	3460	7z.exe
Token: SeRestorePrivilege	1484	7z.exe
Token: 35	1484	7z.exe
Token: SeSecurityPrivilege	1484	7z.exe
Token: SeSecurityPrivilege	1484	7z.exe
Token: SeRestorePrivilege	3164	7z.exe
Token: 35	3164	7z.exe
Token: SeSecurityPrivilege	3164	7z.exe
Token: SeSecurityPrivilege	3164	7z.exe
Token: SeDebugPrivilege	2328	@p1pk466.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4448	3940	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe	83
PID 3940 wrote to memory of 4448	3940	e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe	83
PID 4448 wrote to memory of 2276	4448	cmd.exe	85
PID 4448 wrote to memory of 2276	4448	cmd.exe	85
PID 4448 wrote to memory of 3460	4448	cmd.exe	86
PID 4448 wrote to memory of 3460	4448	cmd.exe	86
PID 4448 wrote to memory of 1484	4448	cmd.exe	87
PID 4448 wrote to memory of 1484	4448	cmd.exe	87
PID 4448 wrote to memory of 3164	4448	cmd.exe	88
PID 4448 wrote to memory of 3164	4448	cmd.exe	88
PID 4448 wrote to memory of 904	4448	cmd.exe	89
PID 4448 wrote to memory of 904	4448	cmd.exe	89
PID 4448 wrote to memory of 2328	4448	cmd.exe	90
PID 4448 wrote to memory of 2328	4448	cmd.exe	90
PID 4448 wrote to memory of 2328	4448	cmd.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e file.zip -p -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\system32\attrib.exe
    attrib +H "@p1pk466.exe"
    3⤵
    - Views/modifies file attributes
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\svchost\@p1pk466.exe
    "@p1pk466.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2328

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

95.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.12.20.2.in-addr.arpa

IN PTR

Response

95.12.20.2.in-addr.arpa

IN PTR

a2-20-12-95deploystaticakamaitechnologiescom
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

7.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.173.189.20.in-addr.arpa

IN PTR

Response

45.14.49.109:54819

@p1pk466.exe

260 B
160 B
5
4
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
160 B
5
4
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
200 B
5
5
45.14.49.109:54819

@p1pk466.exe

260 B
160 B
5
4

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

132 B
90 B
2
1

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

213 B
157 B
3
1

DNS Request

76.32.126.40.in-addr.arpa

DNS Request

76.32.126.40.in-addr.arpa

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

95.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

95.12.20.2.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

7.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

7.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@p1pk466.exe

Filesize
100KB

MD5
c925d81a2dd75773b97e6a8d13f6fb4b

SHA1
b6dcd52b9e9a403622aebe65b40e56b22fa98d86

SHA256
0e4c8e36333ce5f43f665d0cb82ce84c4a37a28a0682264e4fa953d5ad6a6ad4

SHA512
c82838e6b1cd6b401749c51aac8f53ff5ddebc3c33fffc1d3700231c7b4333e0506ce3881e059e87eb7bcf1424af800b051ba9a51a8b691f542dd58adad3f5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

Filesize
2.0MB

MD5
5df9e79bb04b19fcab6b85a73413be85

SHA1
430f1a97ffe91b03594a8713142b065b786c7083

SHA256
99ea3b24d8ae6c5c7f60aa3672323cf63e5bc5cb62dafc753c798f91ecb05201

SHA512
b62b1a720e50d774515aa3522b5dbd66bbfb6220b6689cb5a9380b3aa1db5b97f85cc6c538c7f509509e7e70b6f58c9934236d495b19fbafba33bd4d2e71b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

Filesize
40KB

MD5
4254c4b84d63195c954dc5a3279f7b95

SHA1
e06d63515ce330877c64c502ccbe8fe7a934050d

SHA256
860e803573dfc9db7acd05fae0b83c952ac97d4afb3e6c90bfc4ebdca8839dce

SHA512
608034e95ac3227e7815445db0f42fb4a7cb9806ad4b66ba533ea25ca7be43a6ae742d2a0750da1db01a08c926c928e35325b3cebc78d01d1d2b04856b10d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

Filesize
1.5MB

MD5
109887f17629acd9fe674602f268a5ad

SHA1
69784340bd71cc64cfce4f22f27071ca342d9ec1

SHA256
bfd112804ac9a57132537ae209236284f79eea7c154f99288889fa678d0f9761

SHA512
1408cea8a0358567179ff0438b62dec12569f4cd8c3a4e8bf1f1aca67f3bc012330a974ea86d76338831c0475f6e2424c0654f30c8c958c2cece02318f6a4bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

Filesize
1.5MB

MD5
d59bcada5b0f85c3ea964411e2c07a14

SHA1
4d09caebb39f3fa8052c1aed1d1fb8e168eaf2d8

SHA256
a1b94fafd51679a362fe826747a07c79b2f8d4014eb025f1dd36d82c119690ae

SHA512
b9725f76db5e08a5d9b3dd7e699327f633891224e5e02efe92f9d968c192e5b004bba4a29b19b3dd6d93485280c48fc2786874b63ff9bd9f8ae4e583a778c770

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

Filesize
452B

MD5
0ff61ab3b929d84c244cc237695b19e9

SHA1
f2cd2da60c8477707de03cd761004a9f519c8b9e

SHA256
e78b5a017124a16b0c5c53bb390a70afc894369a296baee32fd59a5a78ec5796

SHA512
2648162d627cdc26314b47933da41b80d7be60c6247e6759d642aee422384fd7d3fad01627ecb9fe4451a9dc15c53c0fb1d1ebec47ad4f3d25e6bf43b69a9a5a

Download Submit
memory/2328-35-0x00000000006F0000-0x000000000070E000-memory.dmp

Filesize
120KB

Download
memory/2328-36-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/2328-37-0x0000000004F70000-0x0000000004F82000-memory.dmp

Filesize
72KB

Download
memory/2328-38-0x0000000004FD0000-0x000000000500C000-memory.dmp

Filesize
240KB

Download
memory/2328-39-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download
memory/2328-40-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.