redline | 1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 18:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TJUCA_random.exe
Size

1.7MB
MD5

f662cb18e04cc62863751b672570bd7d
SHA1

1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
SHA256

1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
SHA512

ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4
SSDEEP

24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3492-1-0x0000000000510000-0x0000000000988000-memory.dmp	family_sectoprat
behavioral2/memory/3492-2-0x0000000000510000-0x0000000000988000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TJUCA_random.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TJUCA_random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TJUCA_random.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Wine	TJUCA_random.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3492	TJUCA_random.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TJUCA_random.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3492	TJUCA_random.exe
3492	TJUCA_random.exe
3492	TJUCA_random.exe
3492	TJUCA_random.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	TJUCA_random.exe

C:\Users\Admin\AppData\Local\Temp\TJUCA_random.exe
"C:\Users\Admin\AppData\Local\Temp\TJUCA_random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
POST

http://103.84.89.222:33791/

TJUCA_random.exe

Remote address:

103.84.89.222:33791

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 103.84.89.222:33791
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 31 Jan 2025 18:26:23 GMT
POST

http://103.84.89.222:33791/

TJUCA_random.exe

Remote address:

103.84.89.222:33791

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 103.84.89.222:33791
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 5045
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 31 Jan 2025 18:26:29 GMT
POST

http://103.84.89.222:33791/

TJUCA_random.exe

Remote address:

103.84.89.222:33791

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 103.84.89.222:33791
Content-Length: 33610143
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 31 Jan 2025 18:28:27 GMT
POST

http://103.84.89.222:33791/

TJUCA_random.exe

Remote address:

103.84.89.222:33791

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 103.84.89.222:33791
Content-Length: 33610135
Expect: 100-continue
Accept-Encoding: gzip, deflate
DNS

222.89.84.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.89.84.103.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

TJUCA_random.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31
GET

https://api.ip.sb/geoip

TJUCA_random.exe

Remote address:

172.67.75.172:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 31 Jan 2025 18:26:30 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=88lzoysRpsf2q4ZYJUNSNIEtvsBO0S%2BW%2FLU1wKkQnw1PpdBMabCawWLyANEF6G4EhPOEI%2FZJ2iXl%2FOtIJXiVBYMVfNGuPv3hrheIlHGW9hiKLOFQ5hffpaw3MA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 90abc01baa888880-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52756&min_rtt=47594&rtt_var=23695&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2968&recv_bytes=357&delivery_rate=56708&cwnd=252&unsent_bytes=0&cid=437728095c3c6a22&ts=223&x=0"
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

103.84.89.222:33791

http://103.84.89.222:33791/

http

TJUCA_random.exe

43.8MB
825.9kB
31461
17663

HTTP Request

POST http://103.84.89.222:33791/

HTTP Response

200

HTTP Request

POST http://103.84.89.222:33791/

HTTP Response

200

HTTP Request

POST http://103.84.89.222:33791/

HTTP Response

200

HTTP Request

POST http://103.84.89.222:33791/
172.67.75.172:443

https://api.ip.sb/geoip

tls, http

TJUCA_random.exe

759 B
4.7kB
9
9

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

222.89.84.103.in-addr.arpa

dns

72 B
160 B
1
1

DNS Request

222.89.84.103.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

TJUCA_random.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

172.67.75.172

104.26.12.31

104.26.13.31
8.8.8.8:53

172.75.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

172.75.67.172.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDF35.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF4B.tmp

Filesize
114KB

MD5
552e998bbe2783923ac0931a6cbd0185

SHA1
cb551e422b57a1dfd08dc653443b662f0a0f81c3

SHA256
589e94da67c2267c5dbe4aeded0bae2818dfe2e788b28d27536eaf702cded3d3

SHA512
8c82cbb8360fac0321dc23d7734e3322518fc31843c04b49b09a4146b0ed8a4c38b663dea68a66916960071ce1843acae30c12347935f2678b77ff1926dc68f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF76.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF8C.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF92.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDFDC.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDFE3.tmp

Filesize
19KB

MD5
88f21b4490b8cd75c1c8e95e88280512

SHA1
0918fad71f17c6fcdd96c68b11ee60f56ab5f896

SHA256
5702190f9e155de0148e04043b008919fa058a7a888f76f8220351cac07d1a70

SHA512
a6877cb512065a56dff1b30ca8ae175f12758e9c4f433214ae02e9a19a1b7ea4035b587f843a641733fe0c2f61254cd29f4fa8fbbff56490d73d1a9ea4a7dce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE021.tmp

Filesize
10KB

MD5
91e15547bc5875a09ed4b8f20730528b

SHA1
effa174b8fbafb3275d860f6d9b849a33452f24f

SHA256
853af05862b0d49685a65f963bb7380b660ae5101a8bcdd43b6850382ee02125

SHA512
0b94c20181e9481da1286883f2eb9d7a41ea0b97b2494d348e590c075187a541e05600fad8fc5ac0dc4ac6281fdd9e6676597efb5c6c74c6686f68577a8ad94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0AA.tmp

Filesize
436KB

MD5
bb9d76cd2997ff5cb6635683c5fc40ac

SHA1
230b849aff254b1d3da7204437cb768635ea34e2

SHA256
afd80686947b54afa3b97498b3df4c01d3d8b874cd669c97b0d2974d061b3190

SHA512
64bfcb13f60bb763153e52b3b79218823117342de2e2523493f913f8b78f8c42c5ea42795952b315db8cdb7804b74bf7b89bd94b13850296946fbe2f8917b6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0AC.tmp

Filesize
18KB

MD5
9d38fbc22e325bb34b6b1d175b47357f

SHA1
7189eb0908d4cfe8d78d86740d60116c4f99ced0

SHA256
ed450209f81a6f52fde5cfabdac4fb45465cb711354c9582ea3a42849b76bbbb

SHA512
09dc628dbfe3ca91696f7b1ea801c518e4546cc9dd5d46e5883c10ff409018e1bf33d2e268a819139e14aeaeba13fcf6c07682202ced9656d8da08f327c8cb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0BE.tmp

Filesize
13KB

MD5
8ecf115fd8fc66a50edeca8d2575237e

SHA1
6b6c642a0b045365ab83bd7f49cbce2eeca685b4

SHA256
b9aa8a0ac525085776883b75ceb609c3f55a5792e8de2e46c0b29cf4b36a0b3d

SHA512
1a4bdc5ea7b8d34a3a9d51ed27a11181b1793e7966b3c08ba9b1fe9cfb3126ba3a591f35f96fb4b058b0952287da454b82558957cfdd27eaa3d109337aa41cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0BF.tmp

Filesize
14KB

MD5
c0e62719dbe223a29063ea5c4380de5a

SHA1
c7354fb91c149d1fb207bdf56127d93876db1baa

SHA256
237eb4255d79f319659ae7e000b9caae02e06896ed389775e3e493922e4777e6

SHA512
2e63a8c3cc017e4f8de945872d5670e774c17db63b3ac3338ca36ed281c29fca69106447b3bf7963a58eac72a67d3be6be97459441b296fdb836759539f3c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0C0.tmp

Filesize
1.0MB

MD5
124b0be0f0aba94e8b35cf9b2b0ee01a

SHA1
01d6cef25095674a475c3a77378d1495f2fff41a

SHA256
0b09d69d82195626b0791cbe373054de2e28571ea817d4c84115ec22d01355df

SHA512
2c3142a8108460daaaed2048a0d9d602e324f0572e2b3a2c329bcc6a51a757438470eac716ec60b6154222b16aa5418c16b06c195d801ef28dcef16d802279c9

Download Submit
memory/3492-7-0x0000000007D00000-0x0000000007E0A000-memory.dmp

Filesize
1.0MB

Download
memory/3492-9-0x00000000096E0000-0x0000000009C0C000-memory.dmp

Filesize
5.2MB

Download
memory/3492-16-0x0000000009680000-0x000000000969E000-memory.dmp

Filesize
120KB

Download
memory/3492-13-0x000000000A1C0000-0x000000000A764000-memory.dmp

Filesize
5.6MB

Download
memory/3492-12-0x00000000095C0000-0x0000000009652000-memory.dmp

Filesize
584KB

Download
memory/3492-11-0x0000000009450000-0x00000000094C6000-memory.dmp

Filesize
472KB

Download
memory/3492-10-0x0000000008F70000-0x0000000008FD6000-memory.dmp

Filesize
408KB

Download
memory/3492-15-0x0000000000510000-0x0000000000988000-memory.dmp

Filesize
4.5MB

Download
memory/3492-8-0x0000000008FE0000-0x00000000091A2000-memory.dmp

Filesize
1.8MB

Download
memory/3492-0-0x0000000000510000-0x0000000000988000-memory.dmp

Filesize
4.5MB

Download
memory/3492-6-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download
memory/3492-5-0x0000000007A70000-0x0000000007AAC000-memory.dmp

Filesize
240KB

Download
memory/3492-4-0x0000000007A10000-0x0000000007A22000-memory.dmp

Filesize
72KB

Download
memory/3492-3-0x00000000081E0000-0x00000000087F8000-memory.dmp

Filesize
6.1MB

Download
memory/3492-2-0x0000000000510000-0x0000000000988000-memory.dmp

Filesize
4.5MB

Download
memory/3492-1-0x0000000000510000-0x0000000000988000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.