redline | 724902ab0936be774ebeb685d0be152e4fc91da28d4f398944fc98011c204d55

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Z7N5O_random.exe
Size

1.7MB
MD5

4ba31c351d47f114de7ec45ba64ec807
SHA1

5314ba39477d0a29c745d8367c1a9bd5d5cae667
SHA256

724902ab0936be774ebeb685d0be152e4fc91da28d4f398944fc98011c204d55
SHA512

5b16d057b084f88cd612002f10a45cf4d3f114ad668c802ea412c4abad04529f4365e4a52a662186f064b1d8bc3bd005e9e073c15fb8a85b3a1ee14cd2026ed8
SSDEEP

24576:UacJzs3Ds96XBY/ELPKnKSqd1wZL+gB4hI7K4mvHP4PTxLc1aoxR9sOhSVas6LoI:UPEtxY1nKSqdusgOXkAawPhAasGo

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4472-1-0x0000000000650000-0x0000000000AD6000-memory.dmp	family_sectoprat
behavioral2/memory/4472-2-0x0000000000650000-0x0000000000AD6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Z7N5O_random.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Z7N5O_random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Z7N5O_random.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000\Software\Wine	Z7N5O_random.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4472	Z7N5O_random.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z7N5O_random.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4472	Z7N5O_random.exe
4472	Z7N5O_random.exe
4472	Z7N5O_random.exe
4472	Z7N5O_random.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	Z7N5O_random.exe

C:\Users\Admin\AppData\Local\Temp\Z7N5O_random.exe
"C:\Users\Admin\AppData\Local\Temp\Z7N5O_random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC16.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC2C.tmp

Filesize
114KB

MD5
12aa64d59a5e6e0a7944b2f8ed5d9bda

SHA1
935e80e0b4bc8865885b8e1ba904b2c238d399e5

SHA256
8412b5aa0d77b39a086d2648978c172904e3c5335f3d0ea7ea9bfc43a01214c9

SHA512
d4858b9fa051dfecbacd167865d76fa0e18798fd6a76ee58f5da75f19c052406be6d3cfb124a9414635411e124f09adf8536c9c30e2eabb28489f72364c45976

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC48.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC5D.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC74.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC9E.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF2C.tmp

Filesize
640KB

MD5
7f66902af040c0cb53a04e832b2ff80c

SHA1
7e72e54357b47b178f3c57ec1c8ac04e58dda805

SHA256
a04b92216d4dee7754267ab26ecce4679b460e9466cd890809236764d08fb1ee

SHA512
e52895395f6d52150eb7b69dc2c224e3ac70b8f0f5f5b144099104d374fa84ac083c9a0ece927e1441631ff18de0256330636ae9cff25dcc6200c05f780b1649

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF2D.tmp

Filesize
16KB

MD5
a59c8cfec205246abcd5430dfbbf8dd2

SHA1
b3c18f2d91b54bc60cfb9ceb20b5709b39846e86

SHA256
e761d1fd46241141969b7998c44df30819c217d4db1ddd5ba6d7db864efcc701

SHA512
891fe9b527ea8480336a2056f346dff831a36efdf0d78cbf81fd9eff0d19bb2815e7cedf9659cd641e3dd18c54b3353726927b2a668e75068a66978a642e52c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF40.tmp

Filesize
586KB

MD5
ab260604912c6d1a2421a1d9fd48b8c6

SHA1
1629a4ec28e29951c117046cf5a855892126c174

SHA256
94057a5b7438b348d9d427df755e4af59626232c16cb6de3818d589071ab4f59

SHA512
85860296c3a01d1b573201204bfcdcc39b7cccb3df16ee4ee58fc0cb55054cdf756a1f774fe73a73f6d53b6962faecc9192f33b2ccc4657f8f4dc548ab2aaa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF42.tmp

Filesize
10KB

MD5
b817c8735907911a8e06d75b229be29e

SHA1
ee70a31e253c0140497bda8c447664428922f0de

SHA256
2420a0624d60299bdff6f9c570397b8f13026529be393483a06c60cb47fa243c

SHA512
96c57bcbffbdd882d49ed6a3db6ec40c6774325590c0763b86c1d7ce63fa61ad1c0b925b06e1199f910e40dd53127432a1b3bfe560c63ead5b776627586e4c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF45.tmp

Filesize
14KB

MD5
f2877c70e6d14d3e88335f2e6a85985c

SHA1
909b2f8d50724405c7b88011036e700ad0f81bf8

SHA256
853fc8e340db41ff79082054939651ab4706cccae55dc439f87b9a8203c13af6

SHA512
9a57ec34e4e85ee92f948250d6ae9717c4e5721fabc2e193b7d6a08ad0232fe7ca4e0784bb4eabf1896fed52ba597158bec029306bb144395b8cdd63cfe2d870

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFD8.tmp

Filesize
19KB

MD5
96359aecf8fcef17e0215ee76bb7123e

SHA1
e19b39f650410b85a175914ce898092adbd64ed5

SHA256
51280ed7d9e433bcc3ae155d45d3197c0d4480a84493fccfefc7d960884e33c3

SHA512
cad0bfbbd25f89f7c78c939d5e8ba9c9740449d6f23763ce0ec751835e0b6bbc85dc292d338c07bb781e31cdbf1068f934de3c51abcdbfea4ee8741832ba9b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFD9.tmp

Filesize
13KB

MD5
725d07ec7c85bf550a9c9385765d6be1

SHA1
16493f054c04f4e6701ff4546bbc099239848e2c

SHA256
bae43472fedc6b491bf690c5179ce8fae558054795aca6f36701d5cf9ce1ff89

SHA512
7a71e73178e191e25fdcf91c7179f4132f538b5acd2eede93bdf798fd4405eade80444c9b72868bd9c213b4503cedb9e4e089739479816907662a548ea2f9c71

Download Submit
memory/4472-7-0x0000000007740000-0x000000000784A000-memory.dmp

Filesize
1.0MB

Download
memory/4472-169-0x0000000009650000-0x00000000096C6000-memory.dmp

Filesize
472KB

Download
memory/4472-11-0x0000000009120000-0x000000000964C000-memory.dmp

Filesize
5.2MB

Download
memory/4472-10-0x0000000008A20000-0x0000000008BE2000-memory.dmp

Filesize
1.8MB

Download
memory/4472-9-0x0000000000650000-0x0000000000AD6000-memory.dmp

Filesize
4.5MB

Download
memory/4472-167-0x0000000009C00000-0x000000000A1A4000-memory.dmp

Filesize
5.6MB

Download
memory/4472-168-0x0000000009080000-0x0000000009112000-memory.dmp

Filesize
584KB

Download
memory/4472-12-0x0000000008CE0000-0x0000000008D46000-memory.dmp

Filesize
408KB

Download
memory/4472-170-0x0000000009760000-0x000000000977E000-memory.dmp

Filesize
120KB

Download
memory/4472-0-0x0000000000650000-0x0000000000AD6000-memory.dmp

Filesize
4.5MB

Download
memory/4472-6-0x0000000007500000-0x000000000754C000-memory.dmp

Filesize
304KB

Download
memory/4472-5-0x00000000074C0000-0x00000000074FC000-memory.dmp

Filesize
240KB

Download
memory/4472-4-0x0000000007460000-0x0000000007472000-memory.dmp

Filesize
72KB

Download
memory/4472-3-0x0000000007A60000-0x0000000008078000-memory.dmp

Filesize
6.1MB

Download
memory/4472-2-0x0000000000650000-0x0000000000AD6000-memory.dmp

Filesize
4.5MB

Download
memory/4472-1-0x0000000000650000-0x0000000000AD6000-memory.dmp

Filesize
4.5MB

Download