redline | 1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

Analysis

max time kernel
140s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2025 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ViGgA8C.exe
Size

1.7MB
MD5

f662cb18e04cc62863751b672570bd7d
SHA1

1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
SHA256

1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
SHA512

ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4
SSDEEP

24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa

Score

10^/10

redline sectoprat cheat defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/memory/4460-1-0x0000000000430000-0x00000000008A8000-memory.dmp	family_sectoprat
behavioral3/memory/4460-2-0x0000000000430000-0x00000000008A8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ViGgA8C.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
17	4980	Process not Found

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViGgA8C.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000\Software\Wine	ViGgA8C.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4460	ViGgA8C.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2084	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4460	ViGgA8C.exe
4460	ViGgA8C.exe
4460	ViGgA8C.exe
4460	ViGgA8C.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	ViGgA8C.exe

C:\Users\Admin\AppData\Local\Temp\ViGgA8C.exe
"C:\Users\Admin\AppData\Local\Temp\ViGgA8C.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTZEQTdCMTgtMjQ1RC00RDcyLUI4REEtNjI1RjFFRkMxM0NCfSIgdXNlcmlkPSJ7MEQ5MEZFMjMtODBBNS00ODJBLTlDNEYtOThGMkE5MjNDODhFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDM2MjhFRkEtMjRCQy00NEI0LTg1NDItNTNBNzY5OTdEODRDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMzI1ODE5ODYiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1E2B.tmp

Filesize
20KB

MD5
44c2884ebf393e01e8a4824cc4cbc594

SHA1
cbdf01c78972c1c7b90e9d0b5c1c7004160bdfef

SHA256
b0843d7d6dd3fd14547f403f9ae2c0ff3ac97670793128b78c89decf6e051d22

SHA512
6e43508c62e4dafbe5448467b061f3ff6041eca2deb59e52eff0f896e13d307557f9cf1693e3fbc8ed5e42b05d4cecc7aca0224eac8bee7c8a59b818ac8e0131

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E2C.tmp

Filesize
14KB

MD5
7e874a28feeaa73e281f174cfaf75526

SHA1
67dee2b8288d2b504a7c2fea4d0dd96613b2e1eb

SHA256
a62f8b5f454daaa382dcf54260117e2b6f0db6c5f43b4ef57caebca2cfa99ebd

SHA512
23d86d1860620d1706276fb28f6693b61b96d3d162ddf657f21bc649664f2ff8de8e0941ef7020e6a22f556d027e345a31d4406c172203bb17e1f45de85e85eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E5F.tmp

Filesize
12KB

MD5
248734daf8bb3ea585ae691f03227708

SHA1
1a2be8dffbe3ff1d5f9ad1d13d493a834a49126f

SHA256
eb21eba87bbfebe69d247b0d70a5500ef96d555085e28d2e3e735fa9c43e5360

SHA512
bb8891930328c45648ddadcf4cc5454ee18fe86f7e13afd262acdb254ca5da89ad69a3ff69253e1aac99e8ea4e9f2962f8ecf482018b98a55bbc459964245f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E75.tmp

Filesize
10KB

MD5
d86dd3804101a714eb7d1b8c5d0a7c8e

SHA1
4a8ce3b73f8c91e91c9d8fa3620464638c0304a8

SHA256
96a1e71f5a23750d77421f0829e90a3d9c59a9b073cfadf2d09451cb9c85b5a5

SHA512
43a4a9694e604d72f29b7d1dcc80c1968b617128fa57ad2de7cf0e43fc55a2d920e4b35ecbca6fef28d5fd54965a07261753a25e7abc8cd26b4f4aa6dfaeb064

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EA8.tmp

Filesize
15KB

MD5
3727d22adb1f2902114f2eb8a4228f0a

SHA1
4da13ef565ce37ad8b1c9d239784f2461b917b96

SHA256
d01c18d56e26bd7d323fafb29ef30938933629e56c1a8fc588e587c8683c82e5

SHA512
7fa13dfe39cc39acca078dd463e59bba813f47b19af9858ba8f3f5067ef4beae1c8d8e56f6cc4d0088fa10c17972c18452bc9f09594860098214ef9832bdd252

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EA9.tmp

Filesize
998KB

MD5
bbaa8eb10f2d96b56fbbebf2a02820d5

SHA1
1c6335fe4c537cb87d1de1c757ca6b694a812c69

SHA256
70c6b0d8c62271346c3667b663fbd5fb4ba1cdbabc8c79074bcccb7dff8d9003

SHA512
e668a0556ddd42c1b8f0488e2087e67057ac1f7c657960098edb27e2a198c551caebb143c8d9bd28cd8cb2b4fe555a267de60128d5f4e7e74df46a58e8d7a2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EAA.tmp

Filesize
18KB

MD5
2f978777edc692696444d734956065ce

SHA1
0f58a509e2769403e7484d27576fdf35ff3080ec

SHA256
2f6d7eb7c00b6c36cb490e997217a4e92d3f72fcf91a86da74a395f8f9c4f30c

SHA512
c44d1b65d18eddbe9ad2b39160a8ea5486291ff05e1b6afb7dd24f1a296ef018fa1ad5c93882050b1b4169aecd881bdb4f0fdfed3ab655f638717d90bc4788e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EBC.tmp

Filesize
15KB

MD5
02215a6f3eb05f46f92fc936b8beccf3

SHA1
108eb9853e35762cf70be07d3deec02b9d303535

SHA256
deb2410527fa61432e610b554c538a9736d0364d58aac74dd7fcdca8277ecedb

SHA512
802fd822edfabff5861b19e068331fcd47590e4a541148f8ba7c6cbcf8b46b3ffb6332e0e35eead7337de23c89f541bd8e1b587890fbab0ec7df0c0418b0aaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EBD.tmp

Filesize
13KB

MD5
47a45273b662a33a7899035745d1a86c

SHA1
f5cb8dbaac4ae4c9e75fac037d2b2fa1d051ba69

SHA256
93ac05ffbb303ec3ad324a78782f771a76806090bd780f18b9be3c2e135c6c5e

SHA512
42a018117c7bec6364963e452bd7e6c6d2b1e9ef1ec9afa2c57164a5aca3d6dbfab4769c41a80268ed6380ba2b9ffde203bc28ee7785ff9a29f5ec8f332cafa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2093.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20A9.tmp

Filesize
114KB

MD5
ea6fa6999e1adda72bcadfbbafc7e41f

SHA1
3b3ff3ad8c7aa0cc57dae6b19736f5d1502f301a

SHA256
f57750af4365e35010fc96e7e087e1e15f39752831997338b20e82eaf9382b4a

SHA512
b029cc7b1817a7f3a1987aed4333469f672f213f1726322f6e0830290fad7c689fe19e3e20869ad4b9606e86b10cbb795e23637e5c67f795a73ffa377fc59a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20E4.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20F0.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp212B.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/4460-7-0x0000000007810000-0x000000000791A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-199-0x000000000AA10000-0x000000000AAA2000-memory.dmp

Filesize
584KB

Download
memory/4460-11-0x0000000009350000-0x000000000987C000-memory.dmp

Filesize
5.2MB

Download
memory/4460-10-0x0000000008C50000-0x0000000008E12000-memory.dmp

Filesize
1.8MB

Download
memory/4460-9-0x0000000000430000-0x00000000008A8000-memory.dmp

Filesize
4.5MB

Download
memory/4460-0-0x0000000000430000-0x00000000008A8000-memory.dmp

Filesize
4.5MB

Download
memory/4460-200-0x000000000AAB0000-0x000000000AB26000-memory.dmp

Filesize
472KB

Download
memory/4460-12-0x0000000008E20000-0x0000000008E86000-memory.dmp

Filesize
408KB

Download
memory/4460-201-0x000000000B0E0000-0x000000000B686000-memory.dmp

Filesize
5.6MB

Download
memory/4460-202-0x000000000AE30000-0x000000000AE4E000-memory.dmp

Filesize
120KB

Download
memory/4460-6-0x00000000075C0000-0x000000000760C000-memory.dmp

Filesize
304KB

Download
memory/4460-5-0x0000000007580000-0x00000000075BC000-memory.dmp

Filesize
240KB

Download
memory/4460-4-0x0000000007520000-0x0000000007532000-memory.dmp

Filesize
72KB

Download
memory/4460-3-0x0000000007B00000-0x0000000008118000-memory.dmp

Filesize
6.1MB

Download
memory/4460-2-0x0000000000430000-0x00000000008A8000-memory.dmp

Filesize
4.5MB

Download
memory/4460-1-0x0000000000430000-0x00000000008A8000-memory.dmp

Filesize
4.5MB

Download