redline | 498461e84b5b0120a4445337a29d40b6b0d2809d1b7182a2e22920b7ad33d802

Analysis

max time kernel
147s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 08:54

Target

a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6.exe
Size

95KB
MD5

48fb3ecf518ea2e42f43510e8908879c
SHA1

03330d8ef1632b4c920bfbb80cefa401efaf0786
SHA256

a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6
SHA512

1bd7ae5edd0093e0aa0e821e8539980d88091e017874c6fdcba811bc90e510b162335dc576810703da4fe34f803122007bb00b70fc63b8bbce3feec487a6bf22
SSDEEP

1536:kqswlqWWlbG6jejoigI/43Ywzi0Zb78ivombfexv0ujXyyed2+3teulgS6pg:igReY/+zi0ZbYe1g0ujyzdog

Score

10^/10

Family

redline

Botnet

cheat

127.0.0.1:13344

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1088-54-0x0000000000DC0000-0x0000000000DDE000-memory.dmp	family_redline
behavioral1/memory/1088-55-0x00000000048A0000-0x00000000048E0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1088-54-0x0000000000DC0000-0x0000000000DDE000-memory.dmp	family_sectoprat
behavioral1/memory/1088-55-0x00000000048A0000-0x00000000048E0000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6.exe

description pid process

Token: SeDebugPrivilege 1088 a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6.exe

description	pid	process
Token: SeDebugPrivilege	1088	a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6.exe

C:\Users\Admin\AppData\Local\Temp\a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6.exe
"C:\Users\Admin\AppData\Local\Temp\a03e438f8a51628d96e86ec31e75bdea9866d9e86c722d449835743315827ea6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

memory/1088-54-0x0000000000DC0000-0x0000000000DDE000-memory.dmp

Filesize
120KB

Download
memory/1088-55-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1088-56-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download