redline | 4d2b21d8928e3f68ce63fb97a249bfdcad9ea8286d6fd49804cdcf9dde85c429

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe
Size

95KB
MD5

6cec6d556ca7cc5324959811a61e962f
SHA1

a0f0f77232c7bf3484247c0b609d755f4f6c58e1
SHA256

21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3
SHA512

8da51314faa31aee3b1c9f8374dd55070de1e9bd34dc2bd46ea32c28ffc91104f769d8e65d1b6b3d4af8c52edfc06bc24600e5c2cee0941a5a875f614b1d97d8
SSDEEP

1536:FqsghaqpalbG6jejoigIP43Ywzi0Zb78ivombfexv0ujXyyed2R3tmulgS6pQl:D+aKaYP+zi0ZbYe1g0ujyzd1Q

Score

10^/10

redline sectoprat zbot infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

zbot

0.tcp.eu.ngrok.io:15032

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1976-54-0x0000000000F00000-0x0000000000F1E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1976-54-0x0000000000F00000-0x0000000000F1E000-memory.dmp	family_sectoprat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe

description pid process

Token: SeDebugPrivilege 1976 21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe

description	pid	process
Token: SeDebugPrivilege	1976	21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe

C:\Users\Admin\AppData\Local\Temp\21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe
"C:\Users\Admin\AppData\Local\Temp\21b7313afd5d2401a2bf46fa3a0d3440af2b45279bc0ddce93074ebb62ed42f3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-54-0x0000000000F00000-0x0000000000F1E000-memory.dmp

Filesize
120KB

Download
memory/1976-55-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download