redline | bdfa972772e5e39ca0278b2b100bc364d6ed2b1e0dbedc7bb50606111cad395b | Triage

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 23:29

Sharing

Report Analysis Logs

General

Target

work.exe
Size

95KB
MD5

f3ea299f7271137cfecf96f4e5d95793
SHA1

2d4a118eacab84e67927a23514c80431c5d746c9
SHA256

bdfa972772e5e39ca0278b2b100bc364d6ed2b1e0dbedc7bb50606111cad395b
SHA512

3ffd2d5ff1efa2de9565f43e298081c66d8ddd44aa121f05b3cf576e757f3b38a7ece170afea96b3941d2a9a76fbd1d03d5e743394bd8545a717bec6fbb41420
SSDEEP

1536:1qsIlqWWlbG6jejoigI/43Ywzi0Zb78ivombfexv0ujXyyed28teulgS6pg:zIReY/+zi0ZbYe1g0ujyzd8g

Score

10^/10

redline sectoprat 2 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

2

C2

94.142.138.186:1337

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-54-0x0000000000AF0000-0x0000000000B0E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-54-0x0000000000AF0000-0x0000000000B0E000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

work.exe

description pid process

Token: SeDebugPrivilege 1720 work.exe

C:\Users\Admin\AppData\Local\Temp\work.exe
"C:\Users\Admin\AppData\Local\Temp\work.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x0000000000AF0000-0x0000000000B0E000-memory.dmp

Filesize
120KB

Download
memory/1720-55-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1720-56-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download