redline | aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b

General

Target

aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe
Size

1.0MB
MD5

8a65e4ace5821564817c5f343352474c
SHA1

5921aa00413c8ebcc7f639740e85f0389c8c7e09
SHA256

aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b
SHA512

9a44c2c1838567b9b1e1280b338a2b5a6eddb0ad7310e078a9a74e3374ba826ba5344b627c3a06fef90da0168fb6d6349954e867ceb09b68de0eca068f11bb28
SSDEEP

24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8aNVscHOCWth:WTvC/MTQYxsWR7aNVsfCC

Score

10^/10

redline sectoprat cheat discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.90:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/1052-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1052-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1052-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1052-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1052-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1052-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe
2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe
2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31
PID 2016 wrote to memory of 1052	2016	aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe	31

C:\Users\Admin\AppData\Local\Temp\aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe
"C:\Users\Admin\AppData\Local\Temp\aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1052-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1052-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1052-12-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/1052-13-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1052-14-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/1052-15-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-6-0x00000000009E0000-0x0000000000DE0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing