redline | 645e55b1ed6e8bdfcf82bd2abf82cda4c3539c3639d850bdbd4602e3f4d6a638

Analysis

max time kernel
132s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01-09-2023 08:45

Target

buildnewbuild.exe
Size

95KB
MD5

a71371d1a53f284a6421ba0022e00e91
SHA1

6de1622680d4eec098eaeec19bc4eeaefb4f8346
SHA256

645e55b1ed6e8bdfcf82bd2abf82cda4c3539c3639d850bdbd4602e3f4d6a638
SHA512

3e0560cd2bb9b5b83052654b099a7f46d6fc260e98e56bd535ec1cd50c6d5694c6d4cbf9ded03755373c2bdbfdee7418236f5defb7bdfefacc02776553231aa2
SSDEEP

1536:NqsIoqu3lbG6jejoigIH43Ywzi0Zb78ivombfexv0ujXyyed2PtmulgS6pIl:7Z1FYH+zi0ZbYe1g0ujyzd/I

Score

10^/10

Family

redline

Botnet

@ShadowCloud

15.228.188.221:4483

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000D00000-0x0000000000D1E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000D00000-0x0000000000D1E000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	buildnewbuild.exe

C:\Users\Admin\AppData\Local\Temp\buildnewbuild.exe
"C:\Users\Admin\AppData\Local\Temp\buildnewbuild.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

memory/3028-0-0x0000000000D00000-0x0000000000D1E000-memory.dmp

Filesize
120KB

Download
memory/3028-1-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-2-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/3028-3-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-4-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download