redline | 21e4c68118505da33246b093c06fed75cc049c785db86ef79950fff50c206f59

General

Target

f0c6f971c7f14c03d37f035434567fb5.exe
Size

95KB
MD5

f0c6f971c7f14c03d37f035434567fb5
SHA1

96f7e647d2885f8eb92cb8ad56396bfce9562118
SHA256

21e4c68118505da33246b093c06fed75cc049c785db86ef79950fff50c206f59
SHA512

6fd2d11935752e3b1ee9ae1b948ddcf1d45650fe12d504fa06ae1b45f4209d65153b258b2317fe36a08aa87187ede49bc2b6c12e28a1670b9cf083ba9e4cd0aa
SSDEEP

1536:9qsINqLGlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2y3teulgS6pY:rAMOY3+zi0ZbYe1g0ujyzdUY

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

154.91.34.250:14555

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2204-1-0x0000000001120000-0x000000000113E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2204-1-0x0000000001120000-0x000000000113E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0c6f971c7f14c03d37f035434567fb5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	f0c6f971c7f14c03d37f035434567fb5.exe
2204	f0c6f971c7f14c03d37f035434567fb5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	f0c6f971c7f14c03d37f035434567fb5.exe

C:\Users\Admin\AppData\Local\Temp\f0c6f971c7f14c03d37f035434567fb5.exe
"C:\Users\Admin\AppData\Local\Temp\f0c6f971c7f14c03d37f035434567fb5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF2D2.tmp

Filesize
15KB

MD5
57f401c551a5d389485d7617e06ed880

SHA1
ab49745f04a5cef18a5bcb31a8c5d4b2672284f5

SHA256
d8f4799e0042fb6f3c032c1f19bf011b31c86d8c859494cb98a42ce3dd5542fb

SHA512
93f07c180819eccda2047b71633e642017466eecd390351827a37b5a832828270baa1e62f71f2ff03799eeb31120d0baa96ed376ba143f71d220b938e436593c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF318.tmp

Filesize
13KB

MD5
2af416ecef63134117ceea6930599c6e

SHA1
646e0256f223dde1c20a516e11f19666b52b192f

SHA256
f5d4dfe60db561f61622892640c0544d14aa77123fedf997a20462bd3ebe9c96

SHA512
f5cd7aa2a0ab8c32d528adf321c62d86921bd9e4dc5b060f0ecaa00379306bbcc83d3cb2746a77def6d7d58f45c5a68f0556c8c9282ef8e39efd1fb3ed544e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF34F.tmp

Filesize
21KB

MD5
56ff90cb4c543701520b3a450c8f3ff2

SHA1
2321a1f7c1521c71f3dcb001c6dbb957243be722

SHA256
dad757e3ad0f38f5693fe57ae84cf929acdc7c1db24fd4b760c9e3e178dea0a4

SHA512
1eaaa81c1c08e08683e0d13ce85e5084545c04cd31ccc5fe059693f530f467b96a141902474e938fcf3ac3df3772502fa00594a018a5e174c9624b6683f826bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8D3.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8F8.tmp

Filesize
92KB

MD5
f98745d81e8b84f39630844a63afc1ee

SHA1
d7977c2dab5de25630f7d869f9b16a8502cd3bb3

SHA256
9c34e13f0d2852fb4a8a53a4727a59d24691a507edb6ff1965024a6147799a83

SHA512
e6b1bf12139e627d6aa2b25c9d7e8ebab1e86fc3025655bf88bc735413f55b10490f0237b8d11fd5db0eb6045f6176e93228c70d8e940a62ea4324816c31a3dd

Download Submit
memory/2204-0-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x0000000001120000-0x000000000113E000-memory.dmp

Filesize
120KB

Download
memory/2204-2-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-3-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/2204-241-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing