redline | f52ae5e6bfc76f9ea38be634ce95f6d599ca39c643bc6b8fda09a62213e01cb3

Analysis

max time kernel
121s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

390FC6C7C2B8F8D411F425A8E4CCAC38.exe
Size

95KB
MD5

390fc6c7c2b8f8d411f425a8e4ccac38
SHA1

a61674f6ef386be9c89d42dc8c7fd50a2f775fb2
SHA256

f52ae5e6bfc76f9ea38be634ce95f6d599ca39c643bc6b8fda09a62213e01cb3
SHA512

0c4fff1b0ebbedc63df667740151f5fee3dc0a5025cf9681f2915fc3667cfaa473cbd5ecbd4515dc9c28b8c2f8915c2e3cc0776031ee7e1ce58b64389854dc04
SSDEEP

1536:FqsIhaqpalbG6jejoigIP43Ywzi0Zb78ivombfexv0ujXyyed2otmulgS6pQl:DGaKaYP+zi0ZbYe1g0ujyzdMQ

Score

10^/10

redline sectoprat 20250129 discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

20250129

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2312-1-0x0000000000160000-0x000000000017E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2312-1-0x0000000000160000-0x000000000017E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	390FC6C7C2B8F8D411F425A8E4CCAC38.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	390FC6C7C2B8F8D411F425A8E4CCAC38.exe
2312	390FC6C7C2B8F8D411F425A8E4CCAC38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	390FC6C7C2B8F8D411F425A8E4CCAC38.exe

C:\Users\Admin\AppData\Local\Temp\390FC6C7C2B8F8D411F425A8E4CCAC38.exe
"C:\Users\Admin\AppData\Local\Temp\390FC6C7C2B8F8D411F425A8E4CCAC38.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA03E.tmp

Filesize
285KB

MD5
aada6b7c508d2beeb54a6bbb98e4b18f

SHA1
f96e0355c4275913971c9b9648e3bfa759910c9b

SHA256
211f1364da21ad52a041d0b51d8f9519ae23b40ecfebba95e30dae41b5906a34

SHA512
f508283619295eb54487d97c8bf1e08f8deffb07c6469f8950cc00698439cff2d4eb92d5fd1cd41d1670b005b9933369acc4c714dbf3086121cdc410428e26f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA03F.tmp

Filesize
442KB

MD5
61ace524b72795dcb1a946e7b977492d

SHA1
2318128df4b33d5541ca3758810eabc2cafdad2b

SHA256
a0d35f06815e459afbca79be08c59a10518cf615bbc198957a49d0d8bba6a761

SHA512
a7f83be6d5172d6b2bb378cd3a6a73433ad46611253d8ff441e5ea2ecc97f892ec88ec67da0bab47e354222411348c1b7445e3091100b8e0c44f1b2ae04da116

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA040.tmp

Filesize
13KB

MD5
8a53ac4ee35716bc4d429b7bd722757e

SHA1
e16f5f2a405d17fd1dd569edfc9dec653456a474

SHA256
12fe7d7b65be7769db991f4de309d2a40f695132b24743a35ce26efbd0bdbc21

SHA512
7d3403b93e2616a2d07554edbfcb2023114723718f8e23d7c655617a4a1efe981fa0fcd1efdfdbef99b64676bb6976774575cb021575d98d31571a4788ab58f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA05D.tmp

Filesize
304KB

MD5
8597af0fa82fc565392193ca0b191bd8

SHA1
05a7320aa867db2d935160e044c1e0951e639542

SHA256
6edd01e042eb4da6f2e759393c6e218bb9b16d9995268a17fa4aaf3ec13f0502

SHA512
ffa17da6eabca9598a6062bd5ea00bd9e5a42f6bd170f7109e6975beca1ccba484fd1594f8e22ccd98ef3416e1f9de3f72129fd8bec8dbebae34cde27b4044a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0A8.tmp

Filesize
20KB

MD5
1a662f00524b7fa4cf9212b68e6964bc

SHA1
b369152f69c1fe71edcaaecf550dd0bc9df07f68

SHA256
2f68011b5abd6759bf15c4d6cc067e711846ead0db27eec02675a8b2246cabbb

SHA512
81c9d43bdfe401acd224db07210af9daba722254cdeb1afd6c46f2889df2538487a14ee9a477a8cd5e31d44050c1e72591b4cda8d6a579c03f47a28a61c21e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0A9.tmp

Filesize
1.8MB

MD5
f3ad816ca4fbc5826b2aff2870e93972

SHA1
97f9a68f5dc8f287a94cabd8d0897b83a6d86646

SHA256
24bccc85cda5d68e24a480fefc63004c58ddc373607460c0ab5380783b13a66e

SHA512
924ee1cda0006cec6157cdf0754e9efd8499e693ae9e1854f5e59a75d6ca3b5d5ffe08c971f2409073de48b0dafbbb0b5a8ebbed2271d4f585a52fa192bce97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp

Filesize
14KB

MD5
ba624f96a0dc21ff5861af91b7adf3b2

SHA1
2bc4027927ffc01b989a2140756139fd1992b0fd

SHA256
d1a0fbfd3398356963a0a4452d7b08bf595a804ccab2c780e475c0510f183ba4

SHA512
3136eb35d37cd045de966777988f09257662be81837024e92c91268348d6e2ff2b568c54fef217a9816fbeba5cc5a9d9a01f60e9441b510b1480c2b01ff14c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0EB.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA101.tmp

Filesize
92KB

MD5
a58d87b023e155c10b4e15fdfc6fcb06

SHA1
0ee449b782aeac54c0406adde543f19ecd9dfd38

SHA256
331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

SHA512
1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

Download Submit
memory/2312-4-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-3-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2312-0-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2312-2-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-1-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download