redline | b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe
Size

1.7MB
MD5

846a9ccaa6d3e1be42b9ec5eb5aefdf5
SHA1

577a57a76929c74d076ab8e5cac5fbde3f35f059
SHA256

b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f
SHA512

141aa25c39405eafe0e057eceb841e62773be855457b6e86917b2b560230be6fe6585810906f947e51a381d74cfc72544e9f8f25fc756010ba3158e01d82e074
SSDEEP

49152:7lOif0xC8tg3A1lhywKgxlroxXTADDOL8etkB:JlMw8tg3IlwwK6roxXC8m

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2452-1-0x0000000000900000-0x0000000000D5C000-memory.dmp	family_sectoprat
behavioral1/memory/2452-2-0x0000000000900000-0x0000000000D5C000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2452	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2452	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe
2452	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe
2452	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe

C:\Users\Admin\AppData\Local\Temp\b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe
"C:\Users\Admin\AppData\Local\Temp\b72f13de7bca13b6f113c2e33b2116faaa7eb31dc9bdfe4b476da455b16e5d9f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5FC.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp621.tmp

Filesize
92KB

MD5
ae2cd96016ba8a9d0c675d9d9badbee7

SHA1
fd9df8750aacb0e75b2463c285c09f3bbd518a69

SHA256
dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04

SHA512
7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF9.tmp

Filesize
11KB

MD5
4a06e6345b7e921e04018f5319f4dc81

SHA1
d4bf994013b76e9c1abed5543f617bc0f917bb95

SHA256
2e0b65e34fbf7e29a3184519a40e54c3b59c6c67ca1f7315e2759d32fcb30409

SHA512
3ee28ab40cb324d672ee8de3603d40bb65faad0900ebf485aa58ccd456e9bfdd82626bb6a4ec1e07ddfccd73610f642cf8a70a284597f1657e76a603c5660344

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFF.tmp

Filesize
14KB

MD5
eefb88286a315b51fbd499d5a5b676e9

SHA1
60b84787dc6897dd2d7c7e76c38a0273c3a430bf

SHA256
96938b148c52cd7ace00d07ddeb15a7d9d67597d453af0f057f251fa784fc5af

SHA512
c85110266d177d0eaa6028d296ff94022771dd9d175bc736383a83247eace0210473bc73e15df0e187b301e75d1ea1a91d6f1504b001194d21b77ba3fd072ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0F.tmp

Filesize
13KB

MD5
585cbfe01503609bec0715fae0dc5f4e

SHA1
619597af3955c0576e99a80540bbdafb91da001f

SHA256
979978374033816f966da9c263efd80ec146d6794e43bd8e737e80d70beecd92

SHA512
485cc3bec58aa0697bc3f23e5dc6a71407fa05ac176c5b4aa33ea98dac6bc0d92383a05923946cabbdf5a95f7d8e47f0d7a7bedfb784e4df3c7b001b7fac6c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB10.tmp

Filesize
571KB

MD5
fb009216053adce312813f30c54d098c

SHA1
c57abb541f488ab70b9751c53165dd24606e1051

SHA256
1418fa1a10bcd32a9e764ee258a7dbdc3992d718525b1a7d64d3187a8d00d74d

SHA512
c41384cfb5d60435bb394613d88303be704da570749ea2fb4211ec4aa77646a53f07a32cb5100b982b91429701cf6a5a1ddf6f5b1752c654b3e8f71ce888577f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB21.tmp

Filesize
20KB

MD5
2b1a96dff31838ef93d4a9a7bc980a2d

SHA1
44d74ddb4886fd288f346701c4480fb5ea070f19

SHA256
9c886d0289b3b13c2bce0347e2ad1bcb360480d921c8abc6b9b6a212bde98e1d

SHA512
e9fecb8a4dfe1d86dbddb9bd57ec8a438b4af1793698280347ff760b27b618f5002ef295475266ac35ef624804f5506a71e280c78c3c98b8daa55354cd26e73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB68.tmp

Filesize
920KB

MD5
5f2eae426a743a1eeb44be9767e549ca

SHA1
92d705b43b44917d0f2e977315e62982db8de980

SHA256
12457ad7338428890484339080a0d067b4fd8fcc0a104539e5efaed12ca1e48f

SHA512
6bdb74bb6d28e4fc7f7ef4308f448473404329a15f9b8c4f2b1ca11cdfdea6fdf3e2c72fcc0a9aa2e881a27b22b68d2dd9522732693ce52c9af344682d7ce276

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBA.tmp

Filesize
14KB

MD5
d7934a1e99b1192ade3f594763ddc776

SHA1
0972426ac33909af8d4e0083134bf252443b3206

SHA256
c117df7f5e7ef4843ecc16fafc7f5dfe7b4731bc21bb7f0bcbf0c44bb6128c02

SHA512
ba55e08669432f24ad9ba5ad649d396a22efbeb635efe9675160686b1052c7504b89661835b8251b51405041ccf2c7171bd703da8d393d9d5abbf1c0925a1e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBC.tmp

Filesize
18KB

MD5
d9afe86216eb4deaff86a311328de18e

SHA1
c13572d230aba0889cd8c07884cb6f1e2ab93989

SHA256
c9ac22936ce7df8717e78f8f4a5b89d9d2a8ce060da650b158f32c3b9431ccbc

SHA512
4de8e7bf928a29f34dd4c9c2bc0f4f82274b91f7887397958fca6456246b20d80da71cd196cd729f56e287124a06df1ae0498ba3a3c9fa4ad0b1463d6b685d8b

Download Submit
memory/2452-4-0x0000000000900000-0x0000000000D5C000-memory.dmp

Filesize
4.4MB

Download
memory/2452-2-0x0000000000900000-0x0000000000D5C000-memory.dmp

Filesize
4.4MB

Download
memory/2452-1-0x0000000000900000-0x0000000000D5C000-memory.dmp

Filesize
4.4MB

Download
memory/2452-0-0x0000000000900000-0x0000000000D5C000-memory.dmp

Filesize
4.4MB

Download