redline | 0dfc3040d5379938e2e20165bf67d6822668b018894488a00a7572ab38428588

Analysis

max time kernel
149s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 08:54

Target

bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03.exe
Size

95KB
MD5

a1f1576ea9d02b0ba28f62fae150550c
SHA1

3ff31d9c3a27c9e30300eee7191d331d97d83d39
SHA256

bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03
SHA512

ca2b11c2f511c62eea798f23ae3ddcaca2176c0e128de73323a9983065bfb36aaffdbbff0d5c13f17875d0e6819e00c6a75a1ac791477d14bd51cb55b356279a
SSDEEP

1536:aqsWuqBXlbG6jejoigIL43Ywzi0Zb78ivombfexv0ujXyyed2vtmulgS6pw:IlilYL+zi0ZbYe1g0ujyzdnw

Score

10^/10

Family

redline

Botnet

alice

laptop-senp05hg.tailebd9d.ts.net:38192

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-54-0x0000000000320000-0x000000000033E000-memory.dmp	family_redline
behavioral1/memory/1712-55-0x0000000004AE0000-0x0000000004B20000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-54-0x0000000000320000-0x000000000033E000-memory.dmp	family_sectoprat
behavioral1/memory/1712-55-0x0000000004AE0000-0x0000000004B20000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03.exe

description pid process

Token: SeDebugPrivilege 1712 bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03.exe

description	pid	process
Token: SeDebugPrivilege	1712	bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03.exe

C:\Users\Admin\AppData\Local\Temp\bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03.exe
"C:\Users\Admin\AppData\Local\Temp\bc2ff2eb335a461478e3f34cbbc5dda052ae7918eb88822fceafd90157cbac03.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

memory/1712-54-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1712-55-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1712-56-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download