redline | 4e2af86db2326d23ede094f504645213dd0f26f0e86b5059b6cf9bd5a8115dea

General

Target

094c83270e926b418dd431978ae802d8.exe
Size

95KB
MD5

094c83270e926b418dd431978ae802d8
SHA1

0ddbf017e6313f004f0c7b66ee7e2706564f16e1
SHA256

4e2af86db2326d23ede094f504645213dd0f26f0e86b5059b6cf9bd5a8115dea
SHA512

9d7dd275de9b57fd27ae5d8ebcc9a7d4842ed0c0bc8e16e9d1a16b0f7429fec562d771feca9c36c9b27c54127215c00cea772eb3248e7059351f6baa1c0a61c7
SSDEEP

1536:9qs+XqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed203tmulgS6pY:r0gzWHY3+zi0ZbYe1g0ujyzdmY

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

91.92.136.87:26264

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2228-1-0x00000000003A0000-0x00000000003BE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2228-1-0x00000000003A0000-0x00000000003BE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	094c83270e926b418dd431978ae802d8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2228	094c83270e926b418dd431978ae802d8.exe
2228	094c83270e926b418dd431978ae802d8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	094c83270e926b418dd431978ae802d8.exe

C:\Users\Admin\AppData\Local\Temp\094c83270e926b418dd431978ae802d8.exe
"C:\Users\Admin\AppData\Local\Temp\094c83270e926b418dd431978ae802d8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAEB2.tmp

Filesize
428KB

MD5
13da60262cc6dcdb843a88d060fd7965

SHA1
2137dda22fa7c95f95d4a27702f003409ff72166

SHA256
f460e92db93a77a31a55b3e988b0f09ab5d4d972e42b7e1aac6085a96bbcbbad

SHA512
6bce8bb38b99da014525230908d692a0f59546e129bb0f4d36387101aa1be19aa554057a50006fc54ca8cd46fcf6abb74aa7da137c59ae4711fd6c68807d291b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEEA.tmp

Filesize
651KB

MD5
9496fd669a22a8e77f7bf66eef7e6078

SHA1
b3c94f7e0490689ccc87c5391d939a6e15191a9b

SHA256
53a743f7ff8ea13ef3b66929ecd575a373198f15e8e6f6436bf140cbce3be57f

SHA512
56889967f90832b72eeb83cb1c71a2567a5cbf906495161edd516a607a2a3949f8084e9ec0d1b0fd98ed5389b4432a6a9ed992a6286492ef1c6e04b80622326a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF0B.tmp

Filesize
19KB

MD5
c6fed0e858c4885171fb3dfb5fe17728

SHA1
fd059ed6142b20217e9dad1b82dcad8d54fa8d1f

SHA256
e08bc9292c8fd1e900d5b93ca571a8316331449519794a0697e976b69607dc79

SHA512
fff45811208813d55439944960aa8a2cc4c2fd3ca9fe33a50928b8ca6536d098e26d71bc4a24c258f8c79080c60306ca14a8c03bccf34f3a2943cdc671064369

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp

Filesize
15KB

MD5
c0bd9fad86ccab53a365ee6bf107c49e

SHA1
bb72a4529e39b68b0f3d4d29b230f9812da9bfed

SHA256
cb6b66b8db680d177e3d32c0857872d212076909feed1edfab590f4c5572aa7e

SHA512
357a12ed2e033002bab61361bfa70c139e3a08d2aa78737d2f3eda051860b69ed17ad2bc3c7d51d5e65b723775c269ad25454ff02ac6a393932cd759debc918c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF46.tmp

Filesize
15KB

MD5
02bbcd22235307b4644b3c7ac83738f3

SHA1
b64422edf06f384e151e04ab488e86deb6973860

SHA256
000323a06bbc4dee55ad9648787e54d6261a6426196e92000bdfa9ed7bce22fc

SHA512
c56e11424c81c305d54ba29140988cc971ddee53709fd0a4533bf3a609e1289e83854aa617d3507d34e2b5a6acefaa7a514513a65bc84cef486ca8e2c9687211

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB012.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB037.tmp

Filesize
92KB

MD5
986e35377df14b98807f8a1ac29964e9

SHA1
f3994e6ce12fe89d49d063feb275ccffaf4d5bbb

SHA256
0271d4848c7100f1d664d8185799126bc0bc2170c82f87b1256b5ea316a61876

SHA512
d399c91f1b370a836caefb7f234c723bbe83819efb69e27313d6adbb6240308d45d709e64f072534963a383f5763e7b5b38b9697968d33caab28e0bcb15fc667

Download Submit
memory/2228-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x00000000003A0000-0x00000000003BE000-memory.dmp

Filesize
120KB

Download
memory/2228-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-3-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2228-4-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing