redline | 25fffa8242fa6451b7854125fe7dda67c23595e79a63087261c26c449f5bf0b4

General

Target

JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe
Size

4.7MB
MD5

695f69c6f2dc20da8dc09182fbcf2b09
SHA1

9f0815868f90780ad7a40d5521d31d76d2969a79
SHA256

25fffa8242fa6451b7854125fe7dda67c23595e79a63087261c26c449f5bf0b4
SHA512

452c1f7b08cfb2174ee2506d1efd2d64cb596ac22661ff088bca68ba96e2b037a0a7d59650f3f28bec49dfb47c64099a79b92b227063cfacd769fb84564c3a53
SSDEEP

98304:QLcelvWSYfjJbP73mgiNOiSXiFib2aXUnl8fDS0Yln2xr8VYIOqeZp:zwibP73mb0i7FT3SLS0XrZ/

Score

10^/10

redline sectoprat @syelore discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@syelore

C2

cavanynnari.xyz:81

Attributes

auth_value
584b781c29c4ce798ce009c5b16b2263

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2716-43-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2716-42-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2716-35-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2716-43-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/2716-42-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/2716-35-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe
1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31
PID 1708 wrote to memory of 2716	1708	JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_695f69c6f2dc20da8dc09182fbcf2b09.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-7-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1708-14-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1708-0-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1708-27-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1708-30-0x0000000001340000-0x00000000017EC000-memory.dmp

Filesize
4.7MB

Download
memory/1708-24-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1708-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1708-19-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1708-17-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1708-4-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1708-12-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1708-9-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1708-29-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1708-31-0x0000000001375000-0x00000000015FE000-memory.dmp

Filesize
2.5MB

Download
memory/1708-41-0x0000000001375000-0x00000000015FE000-memory.dmp

Filesize
2.5MB

Download
memory/1708-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1708-33-0x0000000001340000-0x00000000017EC000-memory.dmp

Filesize
4.7MB

Download
memory/1708-5-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2716-47-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2716-42-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2716-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2716-44-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/2716-45-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-46-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/2716-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing