redline | 2b8dd6e401df9a624a3255fce908ac384eb3013d69651c0d133521e2409cbdf9

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe
Size

2.3MB
MD5

fcd6f9dc4c2dedb09f02e98ae484275c
SHA1

3caa9da0bdd2d95f9e4f2293e16fb3f0609c0aa1
SHA256

2b8dd6e401df9a624a3255fce908ac384eb3013d69651c0d133521e2409cbdf9
SHA512

e790c7d0af673e4c6c414b27af5fdd894708f31c03943ff2f5d2f28c2c0f261e62c86fd177228c524eae28d450c8934f3b0ca2f117aad2b87c7c21e935b2ece5
SSDEEP

49152:25+hF6ujRlg2cvPauujSAzH9GsnfBgh2Px5ej75/xiz8lVHTIioOFZQ+R:25aF6ujRmFDAz9fBx5ev5/xiqZ7R

Score

10^/10

redline sectoprat @ditrc discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@DitrC

45.132.104.217:12780

Attributes

auth_value
bb67ccc49d44343128ca161d7fe51029

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b6f-82.dat	family_redline
behavioral2/memory/1728-83-0x00000000004B0000-0x00000000004D2000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b6f-82.dat	family_sectoprat
behavioral2/memory/1728-83-0x00000000004B0000-0x00000000004D2000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe

Executes dropped EXE 12 IoCs

pid	Process
2076	7z.exe
2204	7z.exe
1892	7z.exe
2224	7z.exe
4692	7z.exe
2580	7z.exe
4764	7z.exe
3312	7z.exe
2164	7z.exe
1312	7z.exe
3808	7z.exe
1728	DitrC.exe

Loads dropped DLL 11 IoCs

pid	Process
2076	7z.exe
2204	7z.exe
1892	7z.exe
2224	7z.exe
4692	7z.exe
2580	7z.exe
4764	7z.exe
3312	7z.exe
2164	7z.exe
1312	7z.exe
3808	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DitrC.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	2076	7z.exe
Token: 35	2076	7z.exe
Token: SeSecurityPrivilege	2076	7z.exe
Token: SeSecurityPrivilege	2076	7z.exe
Token: SeRestorePrivilege	2204	7z.exe
Token: 35	2204	7z.exe
Token: SeSecurityPrivilege	2204	7z.exe
Token: SeSecurityPrivilege	2204	7z.exe
Token: SeRestorePrivilege	1892	7z.exe
Token: 35	1892	7z.exe
Token: SeSecurityPrivilege	1892	7z.exe
Token: SeSecurityPrivilege	1892	7z.exe
Token: SeRestorePrivilege	2224	7z.exe
Token: 35	2224	7z.exe
Token: SeSecurityPrivilege	2224	7z.exe
Token: SeSecurityPrivilege	2224	7z.exe
Token: SeRestorePrivilege	4692	7z.exe
Token: 35	4692	7z.exe
Token: SeSecurityPrivilege	4692	7z.exe
Token: SeSecurityPrivilege	4692	7z.exe
Token: SeRestorePrivilege	2580	7z.exe
Token: 35	2580	7z.exe
Token: SeSecurityPrivilege	2580	7z.exe
Token: SeSecurityPrivilege	2580	7z.exe
Token: SeRestorePrivilege	4764	7z.exe
Token: 35	4764	7z.exe
Token: SeSecurityPrivilege	4764	7z.exe
Token: SeSecurityPrivilege	4764	7z.exe
Token: SeRestorePrivilege	3312	7z.exe
Token: 35	3312	7z.exe
Token: SeSecurityPrivilege	3312	7z.exe
Token: SeSecurityPrivilege	3312	7z.exe
Token: SeRestorePrivilege	2164	7z.exe
Token: 35	2164	7z.exe
Token: SeSecurityPrivilege	2164	7z.exe
Token: SeSecurityPrivilege	2164	7z.exe
Token: SeRestorePrivilege	1312	7z.exe
Token: 35	1312	7z.exe
Token: SeSecurityPrivilege	1312	7z.exe
Token: SeSecurityPrivilege	1312	7z.exe
Token: SeRestorePrivilege	3808	7z.exe
Token: 35	3808	7z.exe
Token: SeSecurityPrivilege	3808	7z.exe
Token: SeSecurityPrivilege	3808	7z.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 1180	3204	JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe	83
PID 3204 wrote to memory of 1180	3204	JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe	83
PID 1180 wrote to memory of 2068	1180	cmd.exe	85
PID 1180 wrote to memory of 2068	1180	cmd.exe	85
PID 1180 wrote to memory of 2076	1180	cmd.exe	86
PID 1180 wrote to memory of 2076	1180	cmd.exe	86
PID 1180 wrote to memory of 2204	1180	cmd.exe	87
PID 1180 wrote to memory of 2204	1180	cmd.exe	87
PID 1180 wrote to memory of 1892	1180	cmd.exe	88
PID 1180 wrote to memory of 1892	1180	cmd.exe	88
PID 1180 wrote to memory of 2224	1180	cmd.exe	89
PID 1180 wrote to memory of 2224	1180	cmd.exe	89
PID 1180 wrote to memory of 4692	1180	cmd.exe	90
PID 1180 wrote to memory of 4692	1180	cmd.exe	90
PID 1180 wrote to memory of 2580	1180	cmd.exe	91
PID 1180 wrote to memory of 2580	1180	cmd.exe	91
PID 1180 wrote to memory of 4764	1180	cmd.exe	92
PID 1180 wrote to memory of 4764	1180	cmd.exe	92
PID 1180 wrote to memory of 3312	1180	cmd.exe	93
PID 1180 wrote to memory of 3312	1180	cmd.exe	93
PID 1180 wrote to memory of 2164	1180	cmd.exe	94
PID 1180 wrote to memory of 2164	1180	cmd.exe	94
PID 1180 wrote to memory of 1312	1180	cmd.exe	95
PID 1180 wrote to memory of 1312	1180	cmd.exe	95
PID 1180 wrote to memory of 3808	1180	cmd.exe	96
PID 1180 wrote to memory of 3808	1180	cmd.exe	96
PID 1180 wrote to memory of 4180	1180	cmd.exe	97
PID 1180 wrote to memory of 4180	1180	cmd.exe	97
PID 1180 wrote to memory of 1728	1180	cmd.exe	98
PID 1180 wrote to memory of 1728	1180	cmd.exe	98
PID 1180 wrote to memory of 1728	1180	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4180	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fcd6f9dc4c2dedb09f02e98ae484275c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________31817pwd7636pwd29059pwd10164pwd8918pwd1019___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\system32\attrib.exe
    attrib +H "DitrC.exe"
    3⤵
    - Views/modifies file attributes
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\main\DitrC.exe
    "DitrC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\DitrC.exe

Filesize
113KB

MD5
ee300afc745dc8656a8cf2c00687b497

SHA1
0a24d7ceae8fbddbf951a78a0c03d0e612784183

SHA256
e8e5f4aaed62a08838120aacded272497525333d09214b82aa7d66d04fbbea2a

SHA512
7c17799a642076ec4991b16c2c2f879450f01bacb5d5e5a17b69657ff1db69ceecd8f6a3a6080dac688b32e1a3ab09946de42ba5a63041964d6d0e621b2c29a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
b32792b467f219eeeb3230e95d8d130d

SHA1
0f2bbe569d215039d94d5e3df3144139567d9ca4

SHA256
671f5f8b912dff36505429762f285c24e8c379bc1680afe44c43301f912c787d

SHA512
919b85fd5c102426da889e4d08165cbfb3f9c538fa57f92fad14eaf9f14c87da098a1fa01d3f88a91c496f58a28c6d9c20762aeba1c76fe5cdcc67419a2cd0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
46KB

MD5
91cced3d30cffbdc9af4d1f541f24674

SHA1
aa2045a128c444a4d48737befb4af8a6e5df7a08

SHA256
56e81b150a4a01bd787dc89388bcd3966f9cc8951440f141c5a67a229687938f

SHA512
7ab500dc28b81d5afc222032384da2cb0637b307d04c74ce6b1325a5e248a6c13c844b6f386d5b02a112d20c4821dc088fb4fd2e8b638f1463632ec97d5659c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
1.6MB

MD5
f45da43cbb6a679e75d2e4d7dfc51ef7

SHA1
c17508f41af73c2ea5c467356e7f0359d02de1b6

SHA256
d9858bf2882ac4dbb1abda9013817102d2aa1b8378c0ebfc39bf17296b7e856a

SHA512
54f347550f8cce60c6e442150a46f5cba498c83dac5aab196f41cd290fff53d6cea7c52ea491e1aa965f549bfb74065478bab6378d35bf0d3b78d6cdccc35bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
46KB

MD5
38fb2e7d522a6ca8a79f9759ce6ce49c

SHA1
e3dbacb098d8e658c1b215a472085482235c034f

SHA256
39df2ca12272ffd9a0be10ab7b57e9191e9cea90632ebc80f69f54fab86e2af9

SHA512
c26cae9c23f27d693650a14ed9f1ae524444963efc76a37c331d61a3531b0035b56ea0cb7857a875073fbac8ca41345a4f7bc5e7ed82d081ff4dc900dccd171e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
46KB

MD5
644b41b94026451ef343c3fe8b0008a9

SHA1
a3a1d7ec11e2bfa3ade56711ac4f35b9d95db5ad

SHA256
512c1e921a5ec3bb31977d5409b3f735ff8f0bc9fd76f04cc03655fdaad49cb1

SHA512
3fe80081206998e1fdcb1e6378a5708f5ebfc33d159aa1fbe0948e152e7474ef4a6d86ecffb252a6c4d7fe1656ba83622316e6fb78da36f1183353de169b102c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
46KB

MD5
a644c64b435a457e9bbc83f246f6afec

SHA1
fc77dfc574ffb234a380b911f05bc0e3b49e3208

SHA256
e6fc295947c2f2ba5258683db0b6c85ca029dde1e05f3dc09536733be96b61f3

SHA512
75534d5ebc686e8e844d249a1c3f2c30c8356838416d66778901dd4280b0a2aeb1683bb2e2351522b3e14f379d1a2bd11d1e41e8d26c7f38f1e9cdbdf54b8da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
46KB

MD5
73efed54d9877cf1484844cf41e58aa7

SHA1
b9de31c41c2a4c6d2a0ac228c1e3f02777d42ffc

SHA256
426d59adfc32bb848cb873f281a8e0e112d8a5c492084d6707c1ffbd900fb1b9

SHA512
cef3602a2ce845e465c3723af6cee0abeca6c4bcf09097cbd8e19934be73efceae0ac76203b9d9224e568f52f45be5b48a7cb0cfda106aa5aae7987db981bc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
47KB

MD5
91af5e57ae4ffa2256e2d269bf464b06

SHA1
123ffc91ac4f08b3e84a245e9b11df60b0ea7ad6

SHA256
559adc6cfc2c95fc0b56c6c26d5559ed4e2079d95221daadb5fe13f451056179

SHA512
6a8a920d2a80c38c100961db1863749e90def68817c3260538f81d6227501bc7eeba4d5ed8ec7f06b420950566b8a1f4ae5e2bd38208d214f168d53cb03ab751

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
47KB

MD5
9553ba50a5baefece39e629853761b11

SHA1
2cd5ae2a663b951d89c6511acc497f22fa249518

SHA256
2b0ddadfee776a43f2e6778bdf22d651260233970ccaf7eb4760def5520b6bef

SHA512
309b85c30cb896210c2ae74eb1acbfe5a46088f4e6a9d97b9db3f89725cc4394a8b64b636b2a1a54031650a95f169b724b33dd7face7b44e6aa01c489a2cf2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
47KB

MD5
9566af2a41b3b83c123cae58b8c4ebb8

SHA1
8dffdc1231d71aa84c6875a26b65893022f98405

SHA256
dc679b2bfbc25279822364bbd47209f6fdd695227ac6f349e56435bb0f36c98e

SHA512
df09915d44b46fbcbad9c7a9a3f4fbad866319918097e74a6e3f9d621c6d1935ac01a06c7669c585761c1eddbe614f3cb565aa79c1313754b18a10838d957b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
47KB

MD5
5dce040d04a58a5d7f3387fee535eb0a

SHA1
9b8542bc440faef0766f8be211fa8b62cc68cf0e

SHA256
07d6eb3e24b17ed294b6dc0785156f8f67e481538c40ec7501bbc16fc8d5cb71

SHA512
69f9b019e51ae5e4e0302f6598001f51d126ef3f30ebd43b2d67ff86bb8d2ee6785b853b173953ebed45fa22f0e7eb50a64215d795c8294b5a232895a3c68f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
1c5604c494f35d5d9c7c7d31d95cd53d

SHA1
1e7d29ee3a689d53ae68f1d0a2540f2de7507849

SHA256
2e89e422629a1b331ed92eebaa3497171372f9de90ba5f400b68886cd2c60acd

SHA512
775714936e14e89bf23a4069c4ffe6d053540131fb2f92db4b9698930f52bd1c28aabf962fd6658394eb8db55b4a722bda84fa6d690b7de0d23fa3cfdc128348

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
491B

MD5
7df22fb181b869c60d69051a25a7956b

SHA1
d16060ef1c77001c74f40b87ccfcfe5b3181f7ad

SHA256
ec403424255b6ccb1755de3b394e533247655377379765f123d41b4caace2c18

SHA512
f9c2823b9e9db80c25b246a6f477bb179fa3b25f7a43d190866fbfc953b77fbab9c33b91d6b7a3fe281d7d023edcba73f45c95b1a9fc7bc5f92da36fcdefc8b8

Download Submit
memory/1728-89-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/1728-84-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/1728-85-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/1728-87-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/1728-90-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/1728-88-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/1728-86-0x00000000060A0000-0x00000000066B8000-memory.dmp

Filesize
6.1MB

Download
memory/1728-83-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download