redline | 85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627

General

Target

f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe
Size

1.1MB
MD5

f37bc82cabddf6a2435471b1ccaabd28
SHA1

c059334d7becada6015d5ee98f14fd5a7e35b03e
SHA256

85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627
SHA512

adec9695688c782148c39f215efbae6d07cd139317e34c51658640de251c5cbb03db8a0e8635fbc5a682e85c29ad41826cc71d548bfdfc7ade714a33ac7a5026
SSDEEP

24576:RSLXvGxcpX6vR5lqSTx3QnPypPBwijZ4XyKFO1uY7m5HQYk:6OaYZ5jQn6VBwid4XyuqRyk

Score

10^/10

redline sectoprat felix1008 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

felix1008

C2

193.188.22.4:45689

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1240-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1240-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eRvZmSJdOd.url	Orlo.exe.com

Executes dropped EXE 3 IoCs

pid	Process
3064	Orlo.exe.com
3800	Orlo.exe.com
1240	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 1240	3800	Orlo.exe.com	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orlo.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orlo.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3628	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3628	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3800	Orlo.exe.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3064	Orlo.exe.com
3064	Orlo.exe.com
3064	Orlo.exe.com
3800	Orlo.exe.com
3800	Orlo.exe.com
3800	Orlo.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3064	Orlo.exe.com
3064	Orlo.exe.com
3064	Orlo.exe.com
3800	Orlo.exe.com
3800	Orlo.exe.com
3800	Orlo.exe.com

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4340	4928	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe	83
PID 4928 wrote to memory of 4340	4928	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe	83
PID 4928 wrote to memory of 4340	4928	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe	83
PID 4928 wrote to memory of 4820	4928	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe	84
PID 4928 wrote to memory of 4820	4928	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe	84
PID 4928 wrote to memory of 4820	4928	f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe	84
PID 4820 wrote to memory of 1804	4820	cmd.exe	86
PID 4820 wrote to memory of 1804	4820	cmd.exe	86
PID 4820 wrote to memory of 1804	4820	cmd.exe	86
PID 1804 wrote to memory of 5096	1804	cmd.exe	87
PID 1804 wrote to memory of 5096	1804	cmd.exe	87
PID 1804 wrote to memory of 5096	1804	cmd.exe	87
PID 1804 wrote to memory of 3064	1804	cmd.exe	88
PID 1804 wrote to memory of 3064	1804	cmd.exe	88
PID 1804 wrote to memory of 3064	1804	cmd.exe	88
PID 1804 wrote to memory of 3628	1804	cmd.exe	89
PID 1804 wrote to memory of 3628	1804	cmd.exe	89
PID 1804 wrote to memory of 3628	1804	cmd.exe	89
PID 3064 wrote to memory of 3800	3064	Orlo.exe.com	90
PID 3064 wrote to memory of 3800	3064	Orlo.exe.com	90
PID 3064 wrote to memory of 3800	3064	Orlo.exe.com	90
PID 3800 wrote to memory of 1240	3800	Orlo.exe.com	102
PID 3800 wrote to memory of 1240	3800	Orlo.exe.com	102
PID 3800 wrote to memory of 1240	3800	Orlo.exe.com	102
PID 3800 wrote to memory of 1240	3800	Orlo.exe.com	102

C:\Users\Admin\AppData\Local\Temp\f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f37bc82cabddf6a2435471b1ccaabd28_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Sia.tiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^pkGGAfikiUHgkUsEdYECSyCYSsHNpFrexxWaHUdYNNqBjTuNBNmlmGvtIHOoIxwBQETRXZXvIGOytwLYlTkcySDOYSJZuidzLnLI$" Sai.tiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com
      Orlo.exe.com S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com S
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecco.tiff

Filesize
100KB

MD5
e5586082ef5f474be6408a7f3b4dba77

SHA1
bedc7dc1f81ec8e0d2b7f9228d514ba91a056672

SHA256
e8a043bfe68012258f2e515115be252e9ae696f91450a84e54ace974772e841d

SHA512
8fcb62fd7af977921b340d8fc3b86556a53180d89fa821faefdaa8b6ab8b5fa243ca70add3aade89a1035ad1cd3983680da96cf78a87410d0827c41e4aeab6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nevi.tiff

Filesize
1002KB

MD5
6beecd000f42fe9cb8bd0c042b84fafc

SHA1
740230eaecb0ff247e92ab677058ccbc120a54be

SHA256
394081a2521b6385d9f891968f09a05ceb61607d1ea75d73acc4b64eebf0aaec

SHA512
55fa29db5ae50c8cfd8d5c404c6122706d5840ade656fabe40e7eb3ff15328b6c125ed9e800775a4895e87b7cdf673aafb4a754c302102ce574e46686a22ee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sai.tiff

Filesize
872KB

MD5
c548167b92d99e28335d53bcda495ecc

SHA1
8ebf6fc6ca98c2fa60d86ed23030bfeb3b5ba0a5

SHA256
3e9fe6e7b34e3753b8e15fe74dc5e099dcfc539ac68f6289dcf7f9c196366847

SHA512
993f8ff409133e536546bfe39f403ebe34d324864f893cc79d21104b5ab016745ec91ae912e51475a5883ab1ce868a2f9a9a144b0dc79ce6c06007092fef3f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sia.tiff

Filesize
569B

MD5
fd6bbedf4b9866258583735e2a2780d5

SHA1
f3678efe689afedd82272ca150d51c42338fe838

SHA256
68ccc09ad10c2820740db49e6238dc3373f24248920b2a776520fd5dd819fee0

SHA512
6ed3175f419a3036ed35da7772e0dfbf36358c6c0f73a351b3ac05d68ff39a6a70241d7dd293a14f0910b6502d97b93591b1ddbecaf4bd59a82d3691f73925bc

Download Submit
memory/1240-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1240-32-0x0000000005D20000-0x0000000006338000-memory.dmp

Filesize
6.1MB

Download
memory/1240-33-0x0000000003290000-0x00000000032A2000-memory.dmp

Filesize
72KB

Download
memory/1240-34-0x0000000005740000-0x000000000577C000-memory.dmp

Filesize
240KB

Download
memory/1240-35-0x0000000005780000-0x00000000057CC000-memory.dmp

Filesize
304KB

Download
memory/1240-36-0x00000000059F0000-0x0000000005AFA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing