redline | 2cc31e67f6448825be0ddc678165fe338ffd23f9581797f4ce1272dfe5dea297

General

Target

PO#US003830.PDF..............exe
Size

512KB
MD5

2541997a6cb4f57e957e02be55ff3742
SHA1

605a47ea31da455b0e31c1f088f87c4b8a83caa6
SHA256

a2735005d85c2e5362b214f1a32593945a8c682b541a2f459823fb0669df62ae
SHA512

ccba04c4e3b8f6159629425f228a930e549d3c6274cc44ddef5c9932fa48e67fab388adbd8c80694b7a211f90c6f28c128d73a3d569c1977da78e6b16e8b7cb8
SSDEEP

12288:4VK/e5E/p/wXI19f/sAGDH+Yw77SnEv17/LRpYzjsuFo:w5af+H+B7SnY17YzjsuFo

Score

10^/10

redline sectoprat vex4you discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

vex4you

C2

209.38.151.4:55123

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4936-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/4936-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 4936	208	PO#US003830.PDF..............exe	97

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO#US003830.PDF..............exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO#US003830.PDF..............exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
208	PO#US003830.PDF..............exe
208	PO#US003830.PDF..............exe
4936	PO#US003830.PDF..............exe
4936	PO#US003830.PDF..............exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	PO#US003830.PDF..............exe
Token: SeDebugPrivilege	4936	PO#US003830.PDF..............exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 4940	208	PO#US003830.PDF..............exe	96
PID 208 wrote to memory of 4940	208	PO#US003830.PDF..............exe	96
PID 208 wrote to memory of 4940	208	PO#US003830.PDF..............exe	96
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97
PID 208 wrote to memory of 4936	208	PO#US003830.PDF..............exe	97

C:\Users\Admin\AppData\Local\Temp\PO#US003830.PDF..............exe
"C:\Users\Admin\AppData\Local\Temp\PO#US003830.PDF..............exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\PO#US003830.PDF..............exe
  "C:\Users\Admin\AppData\Local\Temp\PO#US003830.PDF..............exe"
  2⤵
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\PO#US003830.PDF..............exe
  "C:\Users\Admin\AppData\Local\Temp\PO#US003830.PDF..............exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#US003830.PDF..............exe.log

Filesize
1KB

MD5
7ef67a0a2b1e31df887adcdaf86e4bbd

SHA1
348aad52be33f1a0c477e2ace332ecf91bb0e1a8

SHA256
af207d70281cc3264107da297e00ab97d0af2f055d6065ca5936cf69db6d783f

SHA512
4ffab7944ec049f2597bda791de5fd3ae3578b03ef019d2222850b8f5a298e3aae8b6e33f71c38e47132d63fb58ab1b03c876b9a01665bc8bbcf01466e7d79e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE95C.tmp

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE972.tmp

Filesize
130KB

MD5
6bb0a66da2c1b52808ddc385380a5092

SHA1
7511d0ab76a03aded6ddcd146de09d8f3455dea7

SHA256
d31ba23320d632a70706a585ad757b8607788e3ba564b86a586a7cc8d294641d

SHA512
9e6777eda7a63b97f17a7699bb167cd39b54d8abb109eb905e7474a55d16aa8df31a29269ba798e809c134057e412eef372564b2ae6b780e217405db25097ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE99D.tmp

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9B3.tmp

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9DE.tmp

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
memory/208-4-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/208-7-0x0000000005160000-0x0000000005174000-memory.dmp

Filesize
80KB

Download
memory/208-8-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/208-9-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/208-10-0x00000000062F0000-0x0000000006352000-memory.dmp

Filesize
392KB

Download
memory/208-6-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/208-5-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/208-14-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/208-3-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/208-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/208-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/208-1-0x00000000004C0000-0x0000000000546000-memory.dmp

Filesize
536KB

Download
memory/4936-17-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/4936-19-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

Filesize
304KB

Download
memory/4936-21-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/4936-22-0x00000000064D0000-0x0000000006692000-memory.dmp

Filesize
1.8MB

Download
memory/4936-23-0x0000000006BD0000-0x00000000070FC000-memory.dmp

Filesize
5.2MB

Download
memory/4936-24-0x00000000066A0000-0x0000000006706000-memory.dmp

Filesize
408KB

Download
memory/4936-40-0x00000000068E0000-0x0000000006956000-memory.dmp

Filesize
472KB

Download
memory/4936-41-0x0000000007200000-0x000000000721E000-memory.dmp

Filesize
120KB

Download
memory/4936-20-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4936-18-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/4936-16-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/4936-15-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4936-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4936-175-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4936-176-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4936-177-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing