redline | 23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0

Analysis

max time kernel
107s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2025 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe
Size

4.5MB
MD5

ea832bee94a221bf29669bd178882766
SHA1

9e16a90737523d3d6a7348365f7d4c99aeb3cd75
SHA256

23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0
SHA512

2a9867a2907f8ee615b48b36d03b1b928a8444f30699ba0cd45526d0cdd071b54be83b9460227ba7591fd2f221d080417172fe1d4b07aeeba4a7374f07a51c3d
SSDEEP

49152:tRrBR6Yu++tVJbm+BjzipvXi6MUZJPqyhWzXRU6l3rIDUmGhgscIa:tRNR6Yu+kbmkepvXi4FFIlcDUBa/I

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3636-1-0x0000000000C50000-0x00000000010C8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe
3636	23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe

C:\Users\Admin\AppData\Local\Temp\23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe
"C:\Users\Admin\AppData\Local\Temp\23808da61b53bd070a6ccc80bc951ea22213eca98edf603480cefb37498dc6f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD198.tmp

Filesize
18KB

MD5
9bf73d2fe2b0189fa195d9c8cfe1d0ae

SHA1
cf026e2a3cabd3b2d2dec21fa91bf230c18a72fe

SHA256
af5275fb5f5e2b526baf22090d6b4ab46bbcc20ad13d46ec59c2c782ec2ce911

SHA512
0fb36cf87f79d6ceda0e898b0f992e0730b5d8da438e526fc4ef36b050081d04dc0e0b9aaa86ab7cbc063c0a14e88c3672683e4c8989c23610a7d75f9b47ce03

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD199.tmp

Filesize
208KB

MD5
f1ba637c1e3cecd967812a54972fb3a7

SHA1
a71cce6be722d52b0ff016e50a9ea2ba97da98c2

SHA256
80d3282ff563fd58e4b4061d4910336b4f0e7877ea1fb3d4fe4b5da68576a739

SHA512
63bc5dad99b1ad00184c12f86c6daeff1dfb1298e3011699d41dc0463df6d3c70d9e0aa2d33a8c00703a4af413bed8ea609a2983ed2897ad969903f9888a015f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD19B.tmp

Filesize
14KB

MD5
dc51f35ffff3fbd84b2df139407998f6

SHA1
34a6e817eb71f8385fa7f2cc2dd04581c6619cf3

SHA256
dc5b880158c8f442a744b08fa3e2ad2c8b31a47e54af5a3b343442363a52b7e2

SHA512
914da37a3729f36d6618be654d934c125b4869715c9483269f24fbeaa61e9d8ec346ebcf8284a7447955810d28601807be426040d936343a7030dceb018ef2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1CF.tmp

Filesize
10KB

MD5
14dace253125af52e234d5af6c8c7c7e

SHA1
4aabbf66419f9f5571ad03168cf444af75b1515a

SHA256
4af2d42e89afdc1320775bd6eaea5f6bb25908021a957cc5128ad4d58916e47c

SHA512
c71a90ceb263515813211bcbfafd5a85a7ea12f0b2469037e215d67d36d1902c4662b2fc8c0a4edd9e1efc7b4ddbb76c5b184259ddbc305147c1e08c2936e1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1D5.tmp

Filesize
12KB

MD5
f088ff78f7b17f2fc8fc7480e8a36fa6

SHA1
341b5084b580e842a62193c5a9bd88006fbabc88

SHA256
dbc0c45c80f27569ce878c656d09dad2d82ec12365b0958cb4b8e6df001f6864

SHA512
7ee81e817f5873c669412f435fc3e338d203ea5633165fcd25dd70a0ca3962fa7786d4443e5cf671aae74558f13d1b414bf90b44507463221d05376f9306bced

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp

Filesize
11KB

MD5
e62af5c694ea10d8fe644f562146abec

SHA1
7ef4763d17b936da850e8287989a90a3f93ea98f

SHA256
e7b66a58ed6280a30608193e6df0157bdef1f211e5347d70c5195bb07a7d2ff6

SHA512
b7a7f5d48f0cc424c4a0af2eeeed516e93a195cdad274aa9535707da075153a3fa1e419f6fc8101f097e40032f851f04c78e2883e99e828ec5f4c635b54f9da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1F0.tmp

Filesize
169KB

MD5
65d26457524c3584d1589fa1cc9a50e4

SHA1
16cc4e50d7956fb2f2837225a538c7838068aacb

SHA256
0d94f54a21732077d384b5a082454b54400b8278448dec1976332fc4e47aef6f

SHA512
f75c0c1a4e2266379295b60cfe9399ced0af87363eefa91a674a9b638416e1444b22a2cb2c5c6d0217db59b96d2c2c720a7f67ff11c06c3bf745a3493ea9de11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD20C.tmp

Filesize
9KB

MD5
0153f08f6e75cc2e2d1ef6b55f3e4b57

SHA1
bb979d3ee799c6211f64e35d7078c935b278a073

SHA256
0c1ab534077c49fb94d5ffa286037d0fbf106728a20deda5d6c8d2a0150aae68

SHA512
d26c7edcc394c0d3e3e81bbd27b0673d1ab1685fad69257ab64ad23dec64921adcfadaa18be39b9a42082d0a7175d949013cbac49ca52701ec9852a0520f4056

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD267.tmp

Filesize
13KB

MD5
ceef25dadb52b66426afd21108ed6422

SHA1
6d452302d6789e6e1926b9b8ed0da88634e1d84c

SHA256
ea840e9f314854ddab131787b8a74c11d1536039a31061293ae29ed7f7b4093c

SHA512
3e89256d96c4fd2df68aaced878540d5fd9cd864f343aa4dad7331054f49ffc217d6d783f7eb6ed16ed1b5ca532e899c93db455e4acacb5bbfa6de1ff2437393

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD268.tmp

Filesize
273KB

MD5
41339569c0c5d09a2840ad16f85e311d

SHA1
95a81e893b253cbd93f43ade05f28e7c47a9f3ef

SHA256
210284c0751d79a8c4695baf104d0b985ed00d0f4eb5dfa6e5c5654978d6e9fa

SHA512
0e2098d8451a45cba6169ac15723c702dc418a52192f3ace15afe10151f7e473a6b80651d4efa41a0a3e4527129a42bdf316e25683b25f41166ca01dfe9f4e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2F8.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD30D.tmp

Filesize
114KB

MD5
e0c674499c2a9e7d905106eec7b0cf0d

SHA1
f5c9eb7ce5b6268e55f3c68916c8f89b5e88c042

SHA256
59ef72c29987e36b6f7abcb785b5832b26415abbd4ba48a5ccfb4bd00e6d2a27

SHA512
58387036b89d3b637f21ad677db14f29f987982eaad9c1f33f5db63d7b37e24d8df797178a7ce486baf028cac352f3d07144a29dbfdc2153b28f260866bd5dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD339.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD33F.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD345.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD37F.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/3636-15-0x0000000007730000-0x000000000774E000-memory.dmp

Filesize
120KB

Download
memory/3636-8-0x0000000007050000-0x0000000007212000-memory.dmp

Filesize
1.8MB

Download
memory/3636-6-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-5-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/3636-4-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

Filesize
240KB

Download
memory/3636-3-0x0000000005A60000-0x0000000005A72000-memory.dmp

Filesize
72KB

Download
memory/3636-2-0x0000000006130000-0x0000000006748000-memory.dmp

Filesize
6.1MB

Download
memory/3636-1-0x0000000000C50000-0x00000000010C8000-memory.dmp

Filesize
4.5MB

Download
memory/3636-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3636-7-0x0000000005D70000-0x0000000005E7A000-memory.dmp

Filesize
1.0MB

Download
memory/3636-9-0x0000000007750000-0x0000000007C7C000-memory.dmp

Filesize
5.2MB

Download
memory/3636-14-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3636-13-0x0000000008230000-0x00000000087D4000-memory.dmp

Filesize
5.6MB

Download
memory/3636-12-0x00000000074A0000-0x0000000007516000-memory.dmp

Filesize
472KB

Download
memory/3636-11-0x0000000007400000-0x0000000007492000-memory.dmp

Filesize
584KB

Download
memory/3636-10-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/3636-425-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-427-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download