redline | 0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65

Analysis

max time kernel
140s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
Size

1.7MB
MD5

27452174e04d3a8737e3abd658a2cd5a
SHA1

80b43b0e543e55d4fbf896103c9d68448a6aead0
SHA256

0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65
SHA512

5246318cb15b235db64e4a216026a2f6fa88d763a7bc56502f73b9bc53736723d01414e74ccd263156749475e1484333fc89ea7b6912ba02eb834eee7c73609d
SSDEEP

49152:XS6Jv19IiQkvlNLzIuXrE20t9kzuK2I2i/:XS6JvkiQkXPuXJa/

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4036-1-0x0000000000970000-0x0000000000DE8000-memory.dmp	family_sectoprat
behavioral2/memory/4036-2-0x0000000000970000-0x0000000000DE8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
43	3848	Process not Found

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Software\Wine	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4036	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3468	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4036	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
4036	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
4036	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
4036	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe

C:\Users\Admin\AppData\Local\Temp\0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe
"C:\Users\Admin\AppData\Local\Temp\0bd4ec2b463547c921d1233972a912a6a134a281e1a0606522b3c7e657bc5c65.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEZCMUM5NkQtQUFGMC00M0UzLUIyNkQtNEYzMkZFRUMzRjMyfSIgdXNlcmlkPSJ7MTRENUY4RTAtODE1Qi00RDkxLUJEOEItMjFDOTdGNjYyQjVEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjBEQ0U0NjEtRDFFMS00OTMyLUE1NUItNEI5NzAzM0I3ODJDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTk4MDcwMjQ0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp

Filesize
17KB

MD5
94bd99a2685eb86e1f74c36c19eba45f

SHA1
72e6dcc44c03bbe29c776fc10b5791030c4e2f64

SHA256
69c359ebeb754fdfb906d6a8cbdf4dd6976cb2f99e3110310b80d569e3d5c0d0

SHA512
898f914cf18cbb92ee71f708cb0ff1aacf5bef68f2cbabbea73ff8a2135795efdc31698188acd360bab5e6610c3749fc97bb2d8d43bd1ff267b8c11e6f69d1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE168.tmp

Filesize
14KB

MD5
d0ee82a684b3a27d7740c974a037096b

SHA1
404ccf5f765df9849ec80fa2a737d35eaa441f5c

SHA256
7286de29be7998020d037646024558c61a7e15166cf78ab7cad0321457b3e133

SHA512
5911be2f860f15ee180f71daad65f594d86d28fe6722482fdcd268a34297b7c7e204247665ae9df83adf89424b241f2654ac3f23060d3e051047cbdf7f55dcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE179.tmp

Filesize
12KB

MD5
012ea279fabc590b1a9e49a1439e8ee3

SHA1
c29db90011bedebf32765b225684c2b5226e47a1

SHA256
8d506a2ad7276f4ff07205a447512a3aafb5535d601de61783b83e728881b0f4

SHA512
e6e3e24d4916882b9989f6540a6d5b525cfff3f1bda39ceba6c999f7d0b504d3403f954859fd8a305df6099c14168f4bcbd7f4f8d2154db955f4674d2e61bd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE227.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE23C.tmp

Filesize
114KB

MD5
0f60a30191bf736a79a2da079a80b3cb

SHA1
3cf4a22aa6e0b61d6938ef7da04dea477483aab9

SHA256
373e54dfdd0bfcfa6592ce36550bd42b63caebd6b2ec58939d00c6d0aff5adca

SHA512
557f3b9a1f6c27f925af2315fdbd84b33bd329db59f89a92c60e0f48e86969a4d9b44980c0f388e16437ca1166bf95a5ee510b55792b1b71475420e0b583eccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE267.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE27D.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE282.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2AE.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/4036-6-0x0000000007180000-0x00000000071CC000-memory.dmp

Filesize
304KB

Download
memory/4036-10-0x00000000086C0000-0x0000000008882000-memory.dmp

Filesize
1.8MB

Download
memory/4036-12-0x0000000008980000-0x00000000089E6000-memory.dmp

Filesize
408KB

Download
memory/4036-13-0x00000000098A0000-0x0000000009E44000-memory.dmp

Filesize
5.6MB

Download
memory/4036-14-0x0000000008D20000-0x0000000008DB2000-memory.dmp

Filesize
584KB

Download
memory/4036-15-0x00000000092F0000-0x0000000009366000-memory.dmp

Filesize
472KB

Download
memory/4036-16-0x0000000009370000-0x000000000938E000-memory.dmp

Filesize
120KB

Download
memory/4036-11-0x0000000008DC0000-0x00000000092EC000-memory.dmp

Filesize
5.2MB

Download
memory/4036-9-0x0000000000970000-0x0000000000DE8000-memory.dmp

Filesize
4.5MB

Download
memory/4036-7-0x00000000073E0000-0x00000000074EA000-memory.dmp

Filesize
1.0MB

Download
memory/4036-0-0x0000000000970000-0x0000000000DE8000-memory.dmp

Filesize
4.5MB

Download
memory/4036-5-0x0000000007140000-0x000000000717C000-memory.dmp

Filesize
240KB

Download
memory/4036-4-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4036-3-0x0000000007810000-0x0000000007E28000-memory.dmp

Filesize
6.1MB

Download
memory/4036-2-0x0000000000970000-0x0000000000DE8000-memory.dmp

Filesize
4.5MB

Download
memory/4036-1-0x0000000000970000-0x0000000000DE8000-memory.dmp

Filesize
4.5MB

Download