redline | f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71

General

Target

f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe
Size

1.0MB
MD5

6afdd0cbdf70f3e75f423b1557648e85
SHA1

6c5cf72a38f08fd41b9f4943efaa4fa3b4d92c66
SHA256

f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71
SHA512

b550dbba19c53f55d1433cfbd38fff724c9759da4232597f1b3213e98529f440854a32387eb4a7a7aea2b6a2601816e13b0cfd2ab8712c2f6ef0ec66a2c5028d
SSDEEP

24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8abXTaR:ATvC/MTQYxsWR7abX

Score

10^/10

redline sectoprat cheat discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.90:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2576-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2576-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2576-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2576-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2576-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2576-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe
2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe
2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30
PID 2400 wrote to memory of 2576	2400	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe	30

C:\Users\Admin\AppData\Local\Temp\f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe
"C:\Users\Admin\AppData\Local\Temp\f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-6-0x0000000000BC0000-0x0000000000FC0000-memory.dmp

Filesize
4.0MB

Download
memory/2576-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-12-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2576-13-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-14-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2576-15-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing