Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 08:55
Behavioral task
behavioral1
Sample
21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe
Resource
win7-20230220-en
General
-
Target
21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe
-
Size
95KB
-
MD5
6cec6d556ca7cc5324959811a61e962f
-
SHA1
a0f0f77232c7bf3484247c0b609d755f4f6c58e1
-
SHA256
21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3
-
SHA512
8da51314faa31aee3b1c9f8374dd55070de1e9bd34dc2bd46ea32c28ffc91104f769d8e65d1b6b3d4af8c52edfc06bc24600e5c2cee0941a5a875f614b1d97d8
-
SSDEEP
1536:FqsghaqpalbG6jejoigIP43Ywzi0Zb78ivombfexv0ujXyyed2R3tmulgS6pQl:D+aKaYP+zi0ZbYe1g0ujyzd1Q
Malware Config
Extracted
redline
zbot
0.tcp.eu.ngrok.io:15032
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1976-54-0x0000000000F00000-0x0000000000F1E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1976-54-0x0000000000F00000-0x0000000000F1E000-memory.dmp family_sectoprat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exedescription pid process Token: SeDebugPrivilege 1976 21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe