redline | 1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

Analysis

max time kernel
140s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
09-02-2025 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loqVSeJ.exe
Size

1.7MB
MD5

f662cb18e04cc62863751b672570bd7d
SHA1

1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
SHA256

1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
SHA512

ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4
SSDEEP

24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/memory/4628-1-0x00000000009A0000-0x0000000000E18000-memory.dmp	family_sectoprat
behavioral3/memory/4628-2-0x00000000009A0000-0x0000000000E18000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loqVSeJ.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
12	3424	Process not Found

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loqVSeJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loqVSeJ.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3582203-3971487063-2733630963-1000\Software\Wine	loqVSeJ.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4628	loqVSeJ.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loqVSeJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4888	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4628	loqVSeJ.exe
4628	loqVSeJ.exe
4628	loqVSeJ.exe
4628	loqVSeJ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	loqVSeJ.exe

C:\Users\Admin\AppData\Local\Temp\loqVSeJ.exe
"C:\Users\Admin\AppData\Local\Temp\loqVSeJ.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTMwNjNBNTgtNUJEQi00NTdELUFDQkMtMkIxMTU2MjNEODE2fSIgdXNlcmlkPSJ7MjQ0OTM0OEYtMEUwMy00NEVCLTlFQUUtRDNGQTJDRTE1MzAxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjI1QjNCQUEtNzQxOS00RjdELUE2QzMtNzE5RTI4RDk2MDU5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1Njc0OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MTcwNDQ2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4Nzg4MjIxMDEiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBCE8.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD0D.tmp

Filesize
114KB

MD5
bc121805f3688949acade467dd41dfc3

SHA1
82e1cfaf0852bbd7377a5dab90823a43faf274ae

SHA256
217c231c8194e96bfffe09c342202ccb241d031cd8a72871e5d14296e4e92d07

SHA512
30020411cc9ff625f517d787145a61ea831701a2c88d094eced0af756cd6632652f99bbffc117c9a2ee03b9749955614827ab145513c2120d1969311f2d70cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD39.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD4E.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD64.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD8F.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE8D.tmp

Filesize
17KB

MD5
51b8ec67c32aad6043ee4898a25fb445

SHA1
ffadd10895ea23420be9cc5902bdaa805fc014f2

SHA256
a11502cf01a570cf22bf04050dc617904fa0a21a5549dbd46040d3a346564047

SHA512
7231d36c8b3f3004866798556fe695c607319eb47fb7bbb40c245c886f9a9693f262f468507bdb6773a71ffa4cc16c2e0190b54379f94953bc3a8b9001e42ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF42.tmp

Filesize
18KB

MD5
01c706eaa36a5b46dfc380fda179f825

SHA1
1bc556bc64fca3dd855d522af771ca42e6b76edd

SHA256
eeecf8a393be8d0e8fcb665da0657841dd0262dadda367779f41e622b4ca2094

SHA512
b893d43b29a610c724c8213931bd569bfa44f9a29a9696315c20cadc2db7869b2263fbeb7a50ec0d6b07c9702120ee0b3056bb1c77aa54136e9e49b9daf0ab98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF43.tmp

Filesize
403KB

MD5
e8a19a461e41a499187d95e9e2b31959

SHA1
a1d64d52451128d2b37b9f4aa60847b00be25c3c

SHA256
ba9d4bd731ba302a2376eb28666d00e7c180f789de6d70ee943ff866adb73308

SHA512
fb32bcf6ddbd4cc7b5c0bce565eac6638934ab9c52a0d42d02f89f1deff3072f7812b828d60f18cde2cda0a889a58ce8191f27f9c10d878b51f6d3c75156a9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF54.tmp

Filesize
696KB

MD5
ef95be1ad9113c0a231249faef64a023

SHA1
0dcce0a2c8602529451cf1cfae74d5ce63d92024

SHA256
a3091822f771045cb663ad3f84dec0198d6c3e07877dadd0b9e62b1a2af7f2db

SHA512
658eee9f10ad6e69097779793b418bd8fc0c15e0a8ba1241aca38942df00ad62b5def07458306fc8931e8e51b4c5055e2c2e58293c12798268123a42a3db17ed

Download Submit
memory/4628-6-0x00000000078E0000-0x000000000792C000-memory.dmp

Filesize
304KB

Download
memory/4628-9-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/4628-13-0x0000000009270000-0x0000000009302000-memory.dmp

Filesize
584KB

Download
memory/4628-14-0x000000000A160000-0x000000000A706000-memory.dmp

Filesize
5.6MB

Download
memory/4628-15-0x0000000009330000-0x000000000934E000-memory.dmp

Filesize
120KB

Download
memory/4628-11-0x0000000009680000-0x0000000009BAC000-memory.dmp

Filesize
5.2MB

Download
memory/4628-10-0x0000000008F80000-0x0000000009142000-memory.dmp

Filesize
1.8MB

Download
memory/4628-12-0x0000000009150000-0x00000000091C6000-memory.dmp

Filesize
472KB

Download
memory/4628-7-0x0000000007B40000-0x0000000007C4A000-memory.dmp

Filesize
1.0MB

Download
memory/4628-0-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/4628-5-0x00000000078A0000-0x00000000078DC000-memory.dmp

Filesize
240KB

Download
memory/4628-170-0x00000000095C0000-0x0000000009626000-memory.dmp

Filesize
408KB

Download
memory/4628-4-0x0000000007840000-0x0000000007852000-memory.dmp

Filesize
72KB

Download
memory/4628-3-0x0000000007FC0000-0x00000000085D8000-memory.dmp

Filesize
6.1MB

Download
memory/4628-2-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/4628-1-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download