redline | 55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aff3d560eb4e4550f839bb25a23f33b.exe
Size

445KB
MD5

8aff3d560eb4e4550f839bb25a23f33b
SHA1

e531081a7b1697ebf78e9d696d3794cf569d4346
SHA256

55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce
SHA512

76cd25086287b70b53f5f4d674c1fa3b1b49c5e3c94e45134b7b989d1d3cfd8ac96983a0da0e081fd2c39a328e9313b6fac9c10b01b386c16948a336fb084658
SSDEEP

12288:5b5pP4Tbe1LsRU8z0gS5trj6kR3iOjbzTVGg:p5pP4TbYq0gSPxQMVGg

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

154.91.34.250:14555

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1924-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1924-8-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1924-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1924-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1924-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1924-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1924-8-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1924-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1924-17-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1924-15-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1924	regsvcs.exe
1924	regsvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	regsvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 1924	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	30
PID 1692 wrote to memory of 2968	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	32
PID 1692 wrote to memory of 2968	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	32
PID 1692 wrote to memory of 2968	1692	8aff3d560eb4e4550f839bb25a23f33b.exe	32

C:\Users\Admin\AppData\Local\Temp\8aff3d560eb4e4550f839bb25a23f33b.exe
"C:\Users\Admin\AppData\Local\Temp\8aff3d560eb4e4550f839bb25a23f33b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1692 -s 628
  2⤵
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE62F.tmp

Filesize
13KB

MD5
cf88ad63a2561be413b27d14842b1f38

SHA1
2588690b8e17df7c792c51db2326737425f9ad6f

SHA256
3a16e87627d877bd911e8bc8db9fa2f77014559e0ba775e835cba8cf5d0ea651

SHA512
d0d812d26585097c74dac1e2f5b13e06875ec4501906fc94087e0597dc114c97a6e1cac778a3db2fb9b250cb8902a3c7f0f8b0cae21812306ffa0ab6f381b41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE635.tmp

Filesize
341KB

MD5
49544535d2646d69f4210b6aca1b647c

SHA1
ec5d0a03a056fba0cb916e1ff10a294214488978

SHA256
c3e36e0ec2e18c267196789a64e797b8edec38fecab4cc36f9ed565d59f1b563

SHA512
702ee250c9cbe86d0f1d9b09577aa1e0bc2ca72eb6cf7a36f775a438e0e0e0ddb78f18f66f5e7d1f3ecece4388ca0dcad765946a35969fed3831eed80a5c7b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE64A.tmp

Filesize
17KB

MD5
d249613b3ab8d8050efe8e4c6b1d7e28

SHA1
7124c831b78fc9cc5184cf1ada471cd64a271342

SHA256
098438ec94329da311f3b883b766c45e25d0bbff4a19e2e405c94985091e4f40

SHA512
ec0e6eabbaf76ef2f9690ea033c627528bdae820c1be2149c1c0d34a10d31e6f1ab6ee71c8c0b1c1d80a8a3c2e877092bde45616cf6c8b86c8ae31b90918c2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE665.tmp

Filesize
455KB

MD5
d9d64712a1caa78e4789471cf74bb6ef

SHA1
b8b157b8e19981895800d5c5b9eae10ef0d718d6

SHA256
90b1ae696f516a7d4bfc5d4d5d5d2397c8cf243d5e8328ea00da2d45c0d95687

SHA512
68f67ff0ee62547b2dde420aa5854d6c44ca6304e2bda05200a967d23fd733b11ee14a39010f7c43b0bd49431bae863dc7fd367d3123472238f6ead6c38017d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE69E.tmp

Filesize
14KB

MD5
3834ba9080b0f5dae3f4123062ce53e4

SHA1
c9c27af3049c8848059873405f51855597bbc44b

SHA256
433ffb727bd8e01c01b9347e54c7a5291b842fcbd867b3a3da3cffdd99c74229

SHA512
17cb86ba7b6f3cc572323c564d4a7f903fc0723c858376f00d24362502d28d99c203ad74f86f1b564332b97c699a189935dd5652ac4b65e841e733a51d6446c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6C7.tmp

Filesize
13KB

MD5
a99bf4536e2442bf21242d6742da4178

SHA1
5ce0a39762b37518a99b1d127a8b013c8e05b3ab

SHA256
5c2476fc4e975c4f68d78373b2f93f381150eaca389bde895119161c9f86e77b

SHA512
20c1351ac8ae8866f44574804d41890384f530e124e6ec22f81cbaa59f006c4d30277d144df5504176226958694d12b603515ea7b0910ea704616724fff9d938

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6C9.tmp

Filesize
18KB

MD5
bc3c0d2147b1f5e68537c91decd079c2

SHA1
669137fd4918be342624e7fe91ff7537f6a8f602

SHA256
117d7a7d81e8a299108fdd445c561150bab16ad39e10685a61550d8f6228e9f4

SHA512
a6180dbd624ef519d4a2953dfa336ef039c2b1015b81c8c40cd41c80f141cd1ce67ceb3b76cc7773ef06893995fc8e5f674301bf16852e665c21f3fb0a82b8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6CA.tmp

Filesize
792KB

MD5
422f5c10def14e6f72ac146788fe5eed

SHA1
cede371d03c83881a3977fdee90631043d2ca2ae

SHA256
aebc76743b89ea808706a1bd284c182c10de8c846578553583c2dcee671284c3

SHA512
de36a1ac80a19e26b0312a35e96e5deb93baba867a4d046d4b8ccf72a56e0c2a8fdc9b924ad4448ae50444563de079cf061239450bdfe7d0e108928bc0946a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE707.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE72C.tmp

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
memory/1692-3-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1692-2-0x00000000002F0000-0x0000000000360000-memory.dmp

Filesize
448KB

Download
memory/1692-1-0x0000000001390000-0x0000000001402000-memory.dmp

Filesize
456KB

Download
memory/1692-20-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-21-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1924-19-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-18-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1924-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1924-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-316-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download