redline | 1b33ac622d65ce8b666f4ed01549eaec45ee0b43242c073cf890bc6df61459e5

Analysis

max time kernel
149s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-04-2023 09:04

Target

EmNpZQKFsjAgeAss.exe
Size

502KB
MD5

da3491ec1082ea275af89ded590fedbc
SHA1

af5a582a513f3b0c727551d5a1646b8b3f14bf2f
SHA256

1b33ac622d65ce8b666f4ed01549eaec45ee0b43242c073cf890bc6df61459e5
SHA512

67e8f450a0360a1aff737278c25fec3bf6ae485d813ba3bc3c311f6940d0754c88fb7818e556c44b4265dd436a3fbc4616882836003e6ef05c49117c54cd7766
SSDEEP

6144:i+B9OckfNSJuQQdrpFgi+OP1xN/R+5+59IYMbBmka/go6UhcX7elbKTu19bfF/Ho:i+nOcENSkQJi/N/RWw9vlkjo63X3uz

Score

10^/10

Family

redline

Botnet

cheat

127.0.0.1:15235

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/576-58-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/576-59-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/576-61-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/576-65-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/576-63-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/576-66-0x00000000026B0000-0x00000000026F0000-memory.dmp	family_redline
behavioral2/memory/576-67-0x00000000026B0000-0x00000000026F0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/576-58-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral2/memory/576-59-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral2/memory/576-61-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral2/memory/576-65-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral2/memory/576-63-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral2/memory/576-66-0x00000000026B0000-0x00000000026F0000-memory.dmp	family_sectoprat
behavioral2/memory/576-67-0x00000000026B0000-0x00000000026F0000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

EmNpZQKFsjAgeAss.exe

description pid process target process

PID 1384 set thread context of 576 1384 EmNpZQKFsjAgeAss.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 576 RegAsm.exe

description	pid	process	target process
PID 1384 set thread context of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	576	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EmNpZQKFsjAgeAss.exe

description	pid	process	target process
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 1384 wrote to memory of 576	1384	EmNpZQKFsjAgeAss.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

memory/576-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/576-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/576-66-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/576-67-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1384-54-0x0000000001340000-0x00000000013C4000-memory.dmp

Filesize
528KB

Download
memory/1384-55-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download