redline | 55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe
Size

445KB
MD5

8aff3d560eb4e4550f839bb25a23f33b
SHA1

e531081a7b1697ebf78e9d696d3794cf569d4346
SHA256

55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce
SHA512

76cd25086287b70b53f5f4d674c1fa3b1b49c5e3c94e45134b7b989d1d3cfd8ac96983a0da0e081fd2c39a328e9313b6fac9c10b01b386c16948a336fb084658
SSDEEP

12288:5b5pP4Tbe1LsRU8z0gS5trj6kR3iOjbzTVGg:p5pP4TbYq0gSPxQMVGg

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

154.91.34.250:14555

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2540-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2540-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2540-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2540-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2540-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2540-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2540-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2540-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2540-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2540-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 308 set thread context of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	jsc.exe
2540	jsc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	jsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2540	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	30
PID 308 wrote to memory of 2244	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	32
PID 308 wrote to memory of 2244	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	32
PID 308 wrote to memory of 2244	308	55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe	32

C:\Users\Admin\AppData\Local\Temp\55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe
"C:\Users\Admin\AppData\Local\Temp\55c9a76d39d5d236202271d56bdf3e8357fc1b15458030a46a628e6ab4443bce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 308 -s 628
  2⤵
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA095.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0AB.tmp

Filesize
92KB

MD5
444dfcb62fb09ad8de699a5d55d95b79

SHA1
f1cef14842b4791879318c31aa79d38d01a7290e

SHA256
c0a07d63b5dce56a498bdae1c6729182d736f2592151232d8df3ce7162f865a7

SHA512
8dc97ff55ae760728afd046a2ec0fe7947ffc59ded6830f0f8aa2ec4cadb063843b3eefabef4e29dbf7986a5caffc003373ad4abee6fcc47f12e51223696999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA68E.tmp

Filesize
14KB

MD5
739c4070b80be9e6374ed064c47f4cc5

SHA1
43666322e1c4613763d82dcb02d7e79e1f5bf250

SHA256
55217c7b9723caf3485734bf3e08bdef7ce9480985c0595e14346bbbe433ca89

SHA512
9e8ab25b47dfda9f5adbc1a5ac90a797a92a076f77563b4dfe983a658094a82d78fb422d8b523ea7f5eac17861be900aefd1acdc8b2ed3ef187e9f8c043df835

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6A6.tmp

Filesize
13KB

MD5
e689e3879939efd743948b5dded7fc00

SHA1
6241a7da44915e9efeda59b4889d54c2a8cfdeb2

SHA256
16d8bcd0f21f563ed5e1997b0e314505c97f88904d2bb3ddadbe417a12cc4874

SHA512
1fa92a343cc50d68b486f058aa15c8fbb864787233e47db052301bbb664898dd8018d20b0061938fa313341e2c209023ded28cce883f00f85433ff74b5a74d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6A7.tmp

Filesize
16KB

MD5
baa46ecd7d928e6ad9bca3ea28d22ccc

SHA1
83e275d07bfdecbc0e035df606bb8020522aba2f

SHA256
1d5ad169657cfd86816011ed6539d94ad885552f429d608bc595fc720eab9858

SHA512
d71bfa5df44dd496b327aa78292b4ed277c456d8409076fef2f104ea58c267a1813569a7d09dd411673976e111844a3c427da2ba17f95925aa1e0d367381ff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6BE.tmp

Filesize
20KB

MD5
ece4b7489f9485ec4b0a2828c39f2514

SHA1
49cc7622c46ea1d1e923c3fc243c8f337f9f6983

SHA256
7d18b2167abbe9b0ef68ab3981933eb1163b5efcf98b0dab8e2adeacdba9109f

SHA512
88190578218c7699d22e67ff35597fe15ba146709c1d0d0677edf74f78e569d211f0f7399463b7d9ba59cd9a5f80d74c91a2d49f1159521eafca4f9c24d539dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6C0.tmp

Filesize
15KB

MD5
5a9e96f75c52019d7d203ef6c9212c7a

SHA1
f083f7e159981c11a712b55aa1cf9458645d56ce

SHA256
e3d668b2175f7c8d8990ef36d0c8f4f5cc5851e5dcbe2476abc92e599f163b8b

SHA512
db84f780c30e5fff8aaa05463a27a144e3bf5ed37e09e5ed37b7b0ef9522fb8d93913485ca2d9304b81208e706e5b07c60d13a5921936e9ea9288e673fd75c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA733.tmp

Filesize
13KB

MD5
f5904c94ec2f7bd3b6cb3b5eb7b54995

SHA1
c674d8da52809cd22986f7690850221ef44592b7

SHA256
85d375a796ad7af62f44cf8813759bc3bc2e6be67b2071b7943ce35edb14981c

SHA512
5144082289c251b5c9f49df07f9a4535d9fd37b3f426857abafb3c27ce714f8ab0b58d6c97f36b271ea599829d7ff5c81fbdcc3a00ae357a7cf34cd257164664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA745.tmp

Filesize
18KB

MD5
c50e9c142eb32d4f6a6d726287046c06

SHA1
67d175ca9427c02b35ded054161b1120d5f3f10f

SHA256
67423349a1a603df2fe5c82ad8220c83875470ff0980f5f2d3f67a8744e82880

SHA512
dc61c3923d9516fef8ca82bc0809e19439b8927185785a5b01dcf4c36d988ab08335abcbc1f228685c3d883056f31e2db115bab12ccb7149b50fbd3e66b84abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA758.tmp

Filesize
2.7MB

MD5
1152e2b81c7e4487eb8832cfe778a1aa

SHA1
c1b334f58e3b53b76857a7026a2dab683262b332

SHA256
31db332893900c38db20997d9fcba1b2f5b2c7e75175804e0335e134808edbac

SHA512
50d6b647772d34a59f12eb3710b80eeff31f9d5d0eedd441e7c192abef9634a3f0c05938532f8742a2e5032ed7b9b2dfbda5374c40588e96035fd4c6d092211f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA788.tmp

Filesize
15KB

MD5
f77f5ac0fa653dd3f7e947fb688ad977

SHA1
1b166fa33ae2aeef753bc6350f8303a6f4626ca6

SHA256
b0295de13fd5df0f6d8d3a176f3d329a9de32dc4e013c86cbef0495ec691029d

SHA512
70783e0a418c2ffb759308bd1b45387a4795d656e1f5e9fb88b314997a3565558c605b6b209c9203e4560f9286d50bb81532cf2d64484d0a4e470e02e0cb3ba3

Download Submit
memory/308-16-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/308-3-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/308-1-0x00000000002B0000-0x0000000000322000-memory.dmp

Filesize
456KB

Download
memory/308-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/308-2-0x0000000000430000-0x00000000004A0000-memory.dmp

Filesize
448KB

Download
memory/2540-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-78-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-14-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2540-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-17-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2540-15-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download