redline | 1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.7MB
MD5

f662cb18e04cc62863751b672570bd7d
SHA1

1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
SHA256

1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
SHA512

ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4
SSDEEP

24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2020-1-0x0000000000C40000-0x00000000010B8000-memory.dmp	family_sectoprat
behavioral1/memory/2020-2-0x0000000000C40000-0x00000000010B8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	random.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2020	random.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2020	random.exe
2020	random.exe
2020	random.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	random.exe

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEDC3.tmp

Filesize
10KB

MD5
aca13cc2d84f7376ad1ec4f40e4ce01f

SHA1
c02992835b3b9325921844db3a08a13a89e940ed

SHA256
d61236b39995a8dc99bc6843587c62b69d7db50a94dc19e478186d807845da23

SHA512
fc6f08a2e3d44a7d9192f94c3d9c74efc95b0b49c9344face797c8285cf29cbd0f187b35cfce03fd9bc12bc4592663f2473e91a9c93c1c3793e47ec7e56256a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDDC.tmp

Filesize
444KB

MD5
f639d0554950843d6d983f2e46a4ebf6

SHA1
a2bce70e384fc6b828a779e083605708138d650e

SHA256
01536ead58de2174a425e9c7c9769a9455105842507b91fb24bcc7dc30716d28

SHA512
97f7649d2624e4e0fa9a5832202605bc2107dbb24114192dd0edca8ee77250906e6f5072cc0fc502fc72ab15f6f2ece2be72d90b1e6d022864e3af17dcef7c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDF3.tmp

Filesize
843KB

MD5
5e05d0664a104bcdaf403cbb7e6356b5

SHA1
de73fbc3c08c3846b280177ed047ed9eed3ccc35

SHA256
9d8199c302644a69b6bf3fcee915d5697025213cc144246aa9b60a21289f2b04

SHA512
1bcfb74c9fc86d0ad27c105db5888f2c9746f4266f7775ec3e9fc3cce8119dcd621d904ad51cac384f712d7e32c63d6fc7fe7d141fb86cba53527a2c2829e4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE2C.tmp

Filesize
488KB

MD5
6f3d509be0e353879489ced720f98955

SHA1
e922f79ca6458e50023416016d58de34665382f6

SHA256
ad7cd4e043a623ac0530f2808b72d457820856a0de6d9400fd0bae83c3f71727

SHA512
ccdb13296ce4b34d1aca57f379130825340be908e9b80aaa362edb80d83f0e4a8cb7aae39ec9e7c111f1befb55a87d9bcc0dbebefa7cf7e7839b69f9acd5ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE51.tmp

Filesize
799KB

MD5
6ed73b34a980f597bf3b0dca50935015

SHA1
4fd47297681d5a4d0b41303c21deaf709be80a0c

SHA256
c2f6f1e4bef0a16921936bd9a8f22c6f4b75fde509f3f18eb900573db849e8b7

SHA512
2acce130f5ffbe75cfd615d93d24629915fd0db539e8dbf2659ec9aa40176af53a5d0b4ce4ee8b54aa6699bd1a2a68629b51b49e78af09b6eee5c3d4e3744cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE75.tmp

Filesize
532KB

MD5
a0bed9dfafb757e8dfaf3f838ac1ba3f

SHA1
14886cf2050f18a337202adaf16f6ff725262817

SHA256
09462f84c5de9d9517d03a3788c5a8d5a55a06c6e9a9148baed45b6b357ef80f

SHA512
144d2ad45a2c4e0a69646b40822a90e0f168b18ff72b3f6f57791ea344d5ab71981cf1cf9987f1ebc82802757803ec42a52bbc9c5b69ecba912ea8d3556d2107

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEECA.tmp

Filesize
14KB

MD5
2de1dc8b4de6eea33fefc0fd1967c33b

SHA1
711637cadc3b729f3381a834b02bab258d8e362f

SHA256
180c574f82f5479143504afeaa1697cd05f16094cc3e6af20fdc53489bd1f64c

SHA512
dd42c4277e0a0ef581d441b64983f86faccff5506d5e81bc047a06ef94343e892cde4c212d060ea4d1552a3e0994628b3fe19b7b45516e7edcff6a27be4973ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEECB.tmp

Filesize
21KB

MD5
6191d7230e72dc33b1d6f9c0a31381e3

SHA1
05c80f413402b9f431e153ce1f60c3990410b113

SHA256
41e139ee080247fe64370e6c99b8c346c46c94bc9bb7283383491f66bde245aa

SHA512
c27e31351ed72bfd71e76d4ba1c06175c72d49554290a51d338b9910ccce56ad6ab8fcf5630dd432a2c8ce62e9066190f36d04a6d6434b0ad4aba6444321c6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEECC.tmp

Filesize
20KB

MD5
bf344d763c3cc2ce09b862723215abe3

SHA1
6e007d6895aad8593e3ee22eb3636bdf9751626e

SHA256
e158dd906bcf9260c9b9c44e1e905c8a55d3f99806fa7036a9941a3cefaa5c7a

SHA512
803f2e5b38b5d8fb74bfef73d5423335a876bbd4612115111d842f0dd5024026afdcd110ef19fe53ddae5b9ea3ea2f4b7db50ec195d5905c6edc6cfedd7ab341

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF370.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF395.tmp

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
memory/2020-4-0x0000000000C40000-0x00000000010B8000-memory.dmp

Filesize
4.5MB

Download
memory/2020-2-0x0000000000C40000-0x00000000010B8000-memory.dmp

Filesize
4.5MB

Download
memory/2020-1-0x0000000000C40000-0x00000000010B8000-memory.dmp

Filesize
4.5MB

Download
memory/2020-0-0x0000000000C40000-0x00000000010B8000-memory.dmp

Filesize
4.5MB

Download