redline | a38c2f09dfc1e0b8d2bbc90cd734cda433079488ac3f8520535c51dfcdf4836a

Analysis

max time kernel
140s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/02/2025, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Evo-gen.12305.exe
Size

1.7MB
MD5

5937ca40bd9145c27e123daaa40b1266
SHA1

455fa1eec4efa958f29ec41f0e1bb9328ae0a2ab
SHA256

a38c2f09dfc1e0b8d2bbc90cd734cda433079488ac3f8520535c51dfcdf4836a
SHA512

68bf97fb2b685b5bbcd729b199bfc2f9a0bccdbbd30ea2d3c4cd93cf63437959a0469e73415d59b5bcbc760569eda27e4101dc7895637c6165f05ab0af3ebfde
SSDEEP

24576:0MqYqSIKFeubKl99mF9wN6zOl8lB5RbMB1b0FThwrUYqsH/f7oALa9X+:VqYxFTW9w/RzC8H5WB1bAjYUALQX+

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.214.142.152:26264

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x0000000000860000-0x0000000000CDE000-memory.dmp	family_sectoprat
behavioral1/memory/2424-2-0x0000000000860000-0x0000000000CDE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Win32.Evo-gen.12305.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Win32.Evo-gen.12305.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Win32.Evo-gen.12305.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	SecuriteInfo.com.Win32.Evo-gen.12305.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2424	SecuriteInfo.com.Win32.Evo-gen.12305.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.Evo-gen.12305.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2424	SecuriteInfo.com.Win32.Evo-gen.12305.exe
2424	SecuriteInfo.com.Win32.Evo-gen.12305.exe
2424	SecuriteInfo.com.Win32.Evo-gen.12305.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	SecuriteInfo.com.Win32.Evo-gen.12305.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.12305.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.12305.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2483.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24B8.tmp

Filesize
92KB

MD5
6d9ead954a1d55a4b7b9a23d96bb545e

SHA1
b55a31428681654b9bc4f428fc4c07fa7244760f

SHA256
eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c

SHA512
b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A05.tmp

Filesize
21KB

MD5
b667576507cbfb0217aebc4ca620c42b

SHA1
140a93b108f7a899ca60cad3470540a4b9839da3

SHA256
a23d6f533e21b4ff4f612687dd1021e464a5d58d3aed18c2f094d115719fa7fa

SHA512
2997503a8317ce349ca12d727d5194de6faf5e30ad461010005c28cbfacf9cbc06c7bccd16781cf721db93ad35214a03e7cd7a5df453c98a22090e91e1d9debf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A06.tmp

Filesize
18KB

MD5
3dd8d347972718a49206e03122543e42

SHA1
46d8cb094b821c8ac3dd5b09b6725823415e5e8b

SHA256
d9dcae95087e5a5f0dbd67ad893fbbfd16697a6a41594d625ce3b9e6d0f67a19

SHA512
6231097cb3b41adaab04df1288f746e8f8c1bac46a3e593d0c1825c09e50318e3bb7edd0850b8c294a92c5abf25d1560d0b5c252a5556403f2aea8d2d02a13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A26.tmp

Filesize
17KB

MD5
6e15d56ac1e93a781e2191996082edd9

SHA1
1eb2a470a584b923977666e5dc24e52261c4e417

SHA256
e66dba7c64d93b519c4926fe287f512f849cf06a8b473a203e395d54c0ad55cb

SHA512
4001c79f6e5c9de44289e742a4d075ba2634188a4b10fc2bd2a024c781caf3075ea273e3011f54225bf08e4e921d8f9f1868a1c9a53c4a19a19efb85a0cf0eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A4C.tmp

Filesize
12KB

MD5
a53658d3e36cc30144c956bd97f27e4b

SHA1
e5a77cc48f84ffbb1a22043945ee82e4b9f08ca8

SHA256
7c1d0f0b25d7924920e4628cfbd91b4e2086fe1fd57fb7c90514b0d0f499672f

SHA512
f8c792ac774ae2a3f1be6baf53df5887731827674d0964908ff7d9ec1acbcd08483ee1368aff03fe09ab7b7dbc0ba7695af22bdfd52c84e90c77d55a149aa1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A60.tmp

Filesize
18KB

MD5
2bbddff61d884d3a465425f66963fd8a

SHA1
f56c7353aa70c971800b7597d316d4590bc4fa44

SHA256
d4c500c59efb66f0316cd1f6cc8f5522271434c1900847102041d1949fdb6026

SHA512
2ad364cac827261df282fe817b966ae7274b89e9395284c1149c93922dd3b411569e89db905cbacdacfd0c8d8d046b77ea8670bf983b4d470cff9873a939177f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A71.tmp

Filesize
16KB

MD5
7422ef547348f1a21ee48ea804e4ca5f

SHA1
eda4582a984ec30d2c7b657977ee13ad44872c02

SHA256
11a63ef3da7ba3271368f665c46b07b006968a230645610aaac56e58deefe2ad

SHA512
7ecfc5ee48785b4f4717e3ae6d9c0729d67780227ce0ee751eb64857a7da15313252da757f0719238e7c69fc616ece4d0f0f4be9e5200f32b5f0357003de43b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A72.tmp

Filesize
19KB

MD5
624e23d35c94d8b01c82b1216a080e5c

SHA1
550505ba05178deb566f28a03f726e680de73680

SHA256
203accf3537c9a28946bfa63572c8ebfe93f9b86c5af9626d523ad3d696b631d

SHA512
1b29039a58523a68c4749e3efaee4f272f45358f14e2fcdd47dcfa418e8acec4773f5ca0b0d4c41566bc8665f21ba496601f86368f1b261a3ca02c7ac670ebb4

Download Submit
memory/2424-4-0x0000000000860000-0x0000000000CDE000-memory.dmp

Filesize
4.5MB

Download
memory/2424-2-0x0000000000860000-0x0000000000CDE000-memory.dmp

Filesize
4.5MB

Download
memory/2424-1-0x0000000000860000-0x0000000000CDE000-memory.dmp

Filesize
4.5MB

Download
memory/2424-0-0x0000000000860000-0x0000000000CDE000-memory.dmp

Filesize
4.5MB

Download