redline | 724902ab0936be774ebeb685d0be152e4fc91da28d4f398944fc98011c204d55

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Z7N5O_random.exe
Size

1.7MB
MD5

4ba31c351d47f114de7ec45ba64ec807
SHA1

5314ba39477d0a29c745d8367c1a9bd5d5cae667
SHA256

724902ab0936be774ebeb685d0be152e4fc91da28d4f398944fc98011c204d55
SHA512

5b16d057b084f88cd612002f10a45cf4d3f114ad668c802ea412c4abad04529f4365e4a52a662186f064b1d8bc3bd005e9e073c15fb8a85b3a1ee14cd2026ed8
SSDEEP

24576:UacJzs3Ds96XBY/ELPKnKSqd1wZL+gB4hI7K4mvHP4PTxLc1aoxR9sOhSVas6LoI:UPEtxY1nKSqdusgOXkAawPhAasGo

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/300-1-0x0000000001120000-0x00000000015A6000-memory.dmp	family_sectoprat
behavioral1/memory/300-2-0x0000000001120000-0x00000000015A6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Z7N5O_random.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Z7N5O_random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Z7N5O_random.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	Z7N5O_random.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
300	Z7N5O_random.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z7N5O_random.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
300	Z7N5O_random.exe
300	Z7N5O_random.exe
300	Z7N5O_random.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	300	Z7N5O_random.exe

C:\Users\Admin\AppData\Local\Temp\Z7N5O_random.exe
"C:\Users\Admin\AppData\Local\Temp\Z7N5O_random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEF2A.tmp

Filesize
10KB

MD5
1f640e4f4d64063eea067b10d55a9c2b

SHA1
017e35b2cccb242468e3dbd9b1c595d5dd1cafd5

SHA256
0eb6cbe882860a120ffd01f1c61327de04bbedc60b878682d4f5e48100d5b35f

SHA512
ebbc57c4d922a60138f4cfa3c9d7df03faaee4431299ab440731c7d03850d2b30365589c9ca26662ace2f1f1de87f4b37f1540aa591e746ee1034fbe2c87d12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF43.tmp

Filesize
444KB

MD5
5f2a42c782eade2487b9c0d5f19446f8

SHA1
a420ee50d6cb0d760b5a919675f3b27452a8806c

SHA256
5d88eebd329668bb41afb07f40616fceb393c32780c86863897bcdcd9c712b1b

SHA512
4ac54d816011b4c135f660954c321e645e9e682ed91b916ac0634d7e95c4f65fcdf8a530a169677759e433567df46ffe84138776d56672ba2fd886d6b13651e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF5A.tmp

Filesize
843KB

MD5
3ca61c09a7c481b47786740213c90852

SHA1
2da9f812451cbb04c72f1a714e10dccd5153d27a

SHA256
385e0d687d6c2cb300e7bb1af885f8e9d8a5c2f7f4444617e10340ea258a7e0e

SHA512
b6042a1913db18923d0024761ffccba98babfda0ada826a17607b3d592b62c5f1059788ee5184ab0bad8b14008fba7458609baf215e965efaac91135b69cb43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF83.tmp

Filesize
488KB

MD5
95d4cdb81a0f87a6d82ca1e1319c06e5

SHA1
0ccbcec2ee3e8207b94b8d3cf28ad515c04da884

SHA256
1d5ec47f30395ae92f22eead8cce867bc464d7bfecb89195e31bf3110bc661ba

SHA512
4147487df34d5f69368c0c445f526e8b2c539b5fd904a3aee95b6801baf30a538f376a98238129a6900279cbb8b2dc5d3c2f50f05800bb0fa98d534d581f8087

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFA8.tmp

Filesize
799KB

MD5
8cb5bc462be2c2f53a5f6a88aa489664

SHA1
ac8c7181892189a8b335ff7129cdbd329de38495

SHA256
f134768ec0ba46c0f65190e3444154c98b72fc385a5650aa7802eb226f206805

SHA512
8f53065c3e715a67438f6d38bbb5fb4e0f02c6160e86549b8b355d9750a148ca8b4123740130ffba0ca8263617cdd9813d78b4ab227539b42a3ce31de3d2ac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFCC.tmp

Filesize
532KB

MD5
7457ec80c25e5238050988522d6df32b

SHA1
28730c0da6599390ba76be24d2fdfa1506917033

SHA256
43a3a67c8642b400861d7869b43c16c3a6ff578bd72c9a07a34ed6f897d2575b

SHA512
be5f307bb24f533a2db3abf6907a0fb76a4af7b37813042dbfcfd94dbc60be033b271ad0f162878f0689deaf75a637cacea82fb343d913dfefc0466a7b277cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF011.tmp

Filesize
14KB

MD5
c0e6149fae9ae16ae30cbed999779c1a

SHA1
02991f146bb6df362fdd7869f7350e685fe75469

SHA256
672c76b8a8a2483ddd8331a5d979f496492a3691b94c99101590f92814c01408

SHA512
ff1cd1b07c1ea3ce72adf507f35562d7720ba29dec06dbdf28576d719fc00d4377654b5cf89e75d11fdaf94e81d32c55ca45a39ca5e1e83aac1451b04257f395

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF012.tmp

Filesize
21KB

MD5
39d41a71fbfec5893f5fbd6b974b470c

SHA1
d872a2dfcb1e7e572823f607282ed1dc04728636

SHA256
d316ef74a267fd6137309d5a187ac0220d697fecec22691b51ad32ffa5417e53

SHA512
3da01b9fb440da7df073d55ecad51ba1b32e04ce24bce51f5a330e63b47c177936a7bfab90fc81ae34862418a7601ef27de1df2d603afef17213c63c1bb6b0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF013.tmp

Filesize
20KB

MD5
c16be8158b911d950bd6a9637360856c

SHA1
13fb2ff88146ad7abeab5a6d21b2d5e4c4dc9081

SHA256
64c7b8817c4847391bc1d61bde4c402b384dfb01582156c7e8f1367b775f3db3

SHA512
4b4312d62764573714c2b896c125e848d921a1a9cd7a38a3f80938b5664aa8d9a1e12c5eabbacdc9230e45ca3008234576b822dfbd300ff88e548598aa18ad3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF055.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF06A.tmp

Filesize
92KB

MD5
2cd7a684788f438d7a7ae3946df2e26f

SHA1
3e5a60f38395f3c10d9243ba696468d2bb698a14

SHA256
2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

SHA512
0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

Download Submit
memory/300-4-0x0000000001120000-0x00000000015A6000-memory.dmp

Filesize
4.5MB

Download
memory/300-2-0x0000000001120000-0x00000000015A6000-memory.dmp

Filesize
4.5MB

Download
memory/300-1-0x0000000001120000-0x00000000015A6000-memory.dmp

Filesize
4.5MB

Download
memory/300-0-0x0000000001120000-0x00000000015A6000-memory.dmp

Filesize
4.5MB

Download