redline | f5390691bcb2159fe21241dbe4df39d221744233615ea97599790a9badeef778

Analysis

max time kernel
144s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 16:10

Target

b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10.exe
Size

95KB
MD5

dceaf7cfb7ca66270f86b0fafc421cec
SHA1

824177a36e2ffa4bb228801219dab0d4cbff2640
SHA256

b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10
SHA512

dcec2035eac36211057fbe735cf25486f4ed077e9e84b6475849543030ce4a47d869e35d19f4dd495237a58fb1f2224eedb324500d7ad00711ee0acc1f0dafb9
SSDEEP

1536:1qsGfq+TmlbG6jejoigI/43Ywzi0Zb78ivombfexv0ujXyyed2T3tmulgS6pg:z0taY/+zi0ZbYe1g0ujyzdLg

Score

10^/10

Family

redline

Botnet

cheat

127.0.0.1:1337

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1352-54-0x0000000000AF0000-0x0000000000B0E000-memory.dmp	family_redline
behavioral1/memory/1352-55-0x00000000003F0000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1352-56-0x00000000003F0000-0x0000000000430000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1352-54-0x0000000000AF0000-0x0000000000B0E000-memory.dmp	family_sectoprat
behavioral1/memory/1352-55-0x00000000003F0000-0x0000000000430000-memory.dmp	family_sectoprat
behavioral1/memory/1352-56-0x00000000003F0000-0x0000000000430000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10.exe

description pid process

Token: SeDebugPrivilege 1352 b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10.exe

description	pid	process
Token: SeDebugPrivilege	1352	b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10.exe

C:\Users\Admin\AppData\Local\Temp\b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10.exe
"C:\Users\Admin\AppData\Local\Temp\b0ea212fbe7c4059d1b25a5afcb1b00040e8b501c8f3af73d930ea0daf41fe10.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

memory/1352-54-0x0000000000AF0000-0x0000000000B0E000-memory.dmp

Filesize
120KB

Download
memory/1352-55-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/1352-56-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download