redline | 88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24

General

Target

88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
Size

964KB
MD5

14d111eba3c9ee5e36549ebad0360dbe
SHA1

ee236f96bf998ec27f3e83db02af8df5ac0e3631
SHA256

88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24
SHA512

d30edadffc4de7d3bb95753ef00d344c56db47593afbdea79cbc96f41caa65322c6b1997047cbdb764933e9151a7195478f06cb981aa04bdde66e8e7070eaae9
SSDEEP

24576:bxLsMs8WdZ78l98ecfHOGABIe8kneSuRWu:Jsldmv89fHOz8OwWu

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.150:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2704-38-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2704-35-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2704-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2704-40-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2704-41-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2704-38-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2704-35-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2704-33-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2704-40-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2704-41-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	PO.exe
2704	PO.exe

Loads dropped DLL 5 IoCs

pid	Process
2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
2556	PO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2704	2556	PO.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2556	PO.exe
2556	PO.exe
2556	PO.exe
2556	PO.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	PO.exe
Token: SeDebugPrivilege	2704	PO.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1272	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1272	DllHost.exe
1272	DllHost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2556	2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe	32
PID 2360 wrote to memory of 2556	2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe	32
PID 2360 wrote to memory of 2556	2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe	32
PID 2360 wrote to memory of 2556	2360	88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe	32
PID 2556 wrote to memory of 2748	2556	PO.exe	33
PID 2556 wrote to memory of 2748	2556	PO.exe	33
PID 2556 wrote to memory of 2748	2556	PO.exe	33
PID 2556 wrote to memory of 2748	2556	PO.exe	33
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35
PID 2556 wrote to memory of 2704	2556	PO.exe	35

C:\Users\Admin\AppData\Local\Temp\88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe
"C:\Users\Admin\AppData\Local\Temp\88ce28ff68c1aed67d67789260dc51fdc5ad0e7fd69c27d0f60db5214e013b24.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
873KB

MD5
750833f9083a8381bc81adc2fadd6b2d

SHA1
38b39f32c5edb707e653fa628506cf608213024a

SHA256
d68382e27603a19817ee27efd0acc8fe651c1fa91b9808d7e294ee6055c628a3

SHA512
6e7a30804f14202c4c46913f0f7773324e28b2e7972b2fef8cba6e54915374b964d43436f36fb2194dda5c8c7bc3823890198f4fda2edd500e0568f74f20a211

Download Submit
memory/1272-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1272-5-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/1272-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2360-4-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/2556-25-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2556-23-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/2556-21-0x0000000000D70000-0x0000000000E4C000-memory.dmp

Filesize
880KB

Download
memory/2556-26-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2556-27-0x0000000000450000-0x00000000004D2000-memory.dmp

Filesize
520KB

Download
memory/2704-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-41-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing