redline | b931b29b50423a8b371ce61b28d34ee010d2ef26c0dad533fd04c84dfadc8dad

Analysis

max time kernel
108s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Implosions.exe
Size

2.6MB
MD5

f64a8cf8be324bf637a1056df0c6a90f
SHA1

fb77edc2d8b0771ee201d7068651c50c7e8ff11e
SHA256

b931b29b50423a8b371ce61b28d34ee010d2ef26c0dad533fd04c84dfadc8dad
SHA512

8b7d0b21da9a74be9c8bc3d2ace502f18d234c4b8311fe483563e042dfd14abb585bf971e58c6b108a971aa4a262e9ae3646dfa51edc21892e6cbbb95ea537aa
SSDEEP

24576:UpLroeRrsocze8duf2Q+0u+pIuwZaM8/WhUpx2bsfCAo9xPleHY3U90PPBtk89CX:iRrBR6Yu++eY3U9WBhnHNvW7

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2176-1-0x0000000000860000-0x0000000000CD8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Implosions.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	Implosions.exe
2176	Implosions.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	Implosions.exe

C:\Users\Admin\AppData\Local\Temp\Implosions.exe
"C:\Users\Admin\AppData\Local\Temp\Implosions.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC47A.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC48F.tmp

Filesize
114KB

MD5
db78fd083bc8918ce8a2cc5cb79944db

SHA1
8887055003ce9177d6eab0f7a427f093e1746118

SHA256
c9bc9eba37de0346ed5661939e150bed121d880d563098857ca846bb854fb1ef

SHA512
cf8f216f2a851fb208f2f534efbcb64c60a4009683bdb10887426412ebe39fd7908ec8ac039d7fca5ac35f4d85a7698da5ac02b5350022096a47582a62c72666

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B1.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4C7.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC79F.tmp

Filesize
15KB

MD5
49ef05014778f973b49abae84e2bb696

SHA1
9554325b676ceadb2e1221491b48fdd62adbf3a8

SHA256
3c2b68e3d816e8fbc8b8222d69f521a8c11f87f405e383f2787e0c7a005661a4

SHA512
55bd76c254727ddc9c6705c9e9ec3726ea23d9c26e5cae8fdbe5521a334c3c571003b151c1d081a3dcbbc8c6192ba1d8e6c27a78b893d4bc532d66c4884c6ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7AF.tmp

Filesize
14KB

MD5
606bdd8b0b67a01857e2b14a1c6d0fb2

SHA1
12d72050329b50a0626b345470099a4acde0be0f

SHA256
1e40dc52b5fd0c7b50fdc4b69395c77a35bdaeecde783ffecf729297cdad6113

SHA512
4eae6375f6018b0e93a0e23c2ffdf4167a82b207881fd00aea9c48d4db92d515c7bd5a71a0195ccf0deaa9fc17bf23ed6f8b8306ebb81d4c129f2447815a061e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7B1.tmp

Filesize
16KB

MD5
fdfc666535bec5c2babe8c7e9feb0ce3

SHA1
6df6482b6320ff5a4b84f46384a228901174f39d

SHA256
42283b457bdb57155a10d209b41742fa98860415a86f41b7d2b8bcd2e2fca1a4

SHA512
549a73e6dca6b07f37eb93ed364be14941f8b70f144686d429ee4685bcffb32ac4c1d310bc02289b0e61eb38454798e25fe1d3fc38ee3c389fd8bbcd59f330bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7B7.tmp

Filesize
459KB

MD5
008b4f087a521f49e082c5b8f8103a3f

SHA1
5eeace3f30c8221960b6b3861b57faf649a6991b

SHA256
260aa48917deadcd615ba40659b158aed27fc99e6df97c3c62b816fd99b7d544

SHA512
819417079afd3b93a2978810e6800812201e69ef6bd03167ced5a8cf8ee740e28b3d7cf96b3fcc72d0e1ffedadff2ee450829230ab17ed1465d8d78140b275c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7F8.tmp

Filesize
11KB

MD5
c5061888be5219a05b9de7d752f8da49

SHA1
e96d01c46c4c3a611ffbe4d55ff8c245b00ca67c

SHA256
5f9a37b4bdc9687134a1b22701c354a5a84a10dfb3b0fb6db170d81584a77d6a

SHA512
ecc5acd9f85223d5489832a9aca44e1240825a8532d3e49d31dead151444c459abdb2112984e9108213e72694722b77db7e78e360234a92d076ac98ac0927826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7FA.tmp

Filesize
266KB

MD5
69dc3c072e160b2326957d27a496a88e

SHA1
7a8935f720eee404fcccc7f5bf3944470f08a813

SHA256
3f45744d0d1d820d5b2da936860354e3334379e6b2b79901a8d39347769ea3a6

SHA512
259b3d29870ac1b09c073254f16e211339118a5b3e5b66ec706795f431d28dd2b7e7db2dadc21e6eae3ce8bfbf5bc2a4b1efd84836ac4efd9cf71072c151b62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC843.tmp

Filesize
249KB

MD5
fa93ab1073050c924525b57d18275cdc

SHA1
c0c8eb2101e0fc51e56af850819d7897a908570c

SHA256
382904b2e4511f82eca783876205fa8e1c5a6dc07ab0b51f8d1611c693188776

SHA512
3044e340b21fc1f9a27fa19e518eda4d416fb3176dcfd0634116751c25d96a98d0a09eccfc7478aa3f933bf769511c21095ade7001a52d9b6f687afa4f5c8706

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC845.tmp

Filesize
18KB

MD5
819543fabf5d1d3b360fa556e1fa9ddf

SHA1
0231f06ea2f48e223e25c8d582304c74fca0748e

SHA256
71a11f8f330544fbb1f468a83f8d94dfd66db8f7fb3d4d67d279075f680eb0e5

SHA512
2289d6eb0e150870d7ab9b3b4d7161e14d3db11dd5d80013ee859ed7476cb98da109e4e5f10711d7baea80d8b5917afc428839037e2d50ec159743ae61f7f126

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC856.tmp

Filesize
16KB

MD5
898a943f45ac06aab2fa24992144b14f

SHA1
58aa9f449ba3ef284dbc3e40fb23bc7825028a44

SHA256
e70db880e2ff360607c366295ccc0bd0c73036cd26d1a9f7cecd2f86df82ee61

SHA512
72e83400a1f3884d238ae898f83a4fd5b04ffbbde0d369a48445f6a5f7ae18229af68a64ab13842df913a6b74fe2f65adb9b931b1ad7aa30b84be373e07e97dc

Download Submit
memory/2176-8-0x0000000006C60000-0x0000000006E22000-memory.dmp

Filesize
1.8MB

Download
memory/2176-5-0x0000000005690000-0x00000000056DC000-memory.dmp

Filesize
304KB

Download
memory/2176-165-0x0000000007020000-0x0000000007096000-memory.dmp

Filesize
472KB

Download
memory/2176-166-0x0000000007140000-0x00000000071D2000-memory.dmp

Filesize
584KB

Download
memory/2176-167-0x0000000007E40000-0x00000000083E4000-memory.dmp

Filesize
5.6MB

Download
memory/2176-168-0x0000000007990000-0x00000000079AE000-memory.dmp

Filesize
120KB

Download
memory/2176-9-0x0000000007360000-0x000000000788C000-memory.dmp

Filesize
5.2MB

Download
memory/2176-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/2176-7-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/2176-164-0x0000000006E30000-0x0000000006E96000-memory.dmp

Filesize
408KB

Download
memory/2176-6-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/2176-4-0x00000000056F0000-0x000000000572C000-memory.dmp

Filesize
240KB

Download
memory/2176-3-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/2176-2-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/2176-1-0x0000000000860000-0x0000000000CD8000-memory.dmp

Filesize
4.5MB

Download
memory/2176-382-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/2176-383-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download