Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-03-2023 13:27
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
205KB
-
MD5
b3503746bb7f1d30755c9f4a26ce0a2c
-
SHA1
2490c2a6b3fad0711993c8bb16aab2d21cefac6f
-
SHA256
90706da9b2d8dca13b4823cb9b6c95bde3df92ac336826722b33cfe495d2e300
-
SHA512
142841d0e5a51212af7f7ae6cd083eb5daa2e5542f3c8294524ff8c722a4dcbe8462bf647f928ba3b3edb4d36638a4be5a83ad5762e9b8e66429f6006901b72c
-
SSDEEP
1536:pqsEFqJklbG6jejoigIg43Ywzi0Zb78ivombfexv0ujXyyed2AtmulgS6pG3OkzB:HYScYg+zi0ZbYe1g0ujyzdspkzLQW
Malware Config
Extracted
Family
redline
Botnet
1877
C2
overthinker1877.duckdns.org:60732
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-54-0x00000000001C0000-0x00000000001F8000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-54-0x00000000001C0000-0x00000000001F8000-memory.dmp family_sectoprat -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 2028 tmp.exe