Analysis
-
max time kernel
213s -
max time network
246s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
184d122b490b7ddd40bb242632966c12.exe
Resource
win7-20231215-en
7 signatures
150 seconds
General
-
Target
184d122b490b7ddd40bb242632966c12.exe
-
Size
210KB
-
MD5
184d122b490b7ddd40bb242632966c12
-
SHA1
52eeebcb30a95c2ba34d6c9c82154bcd07e61bbc
-
SHA256
085a46a11e5f51719ad5621e6d3595befbb01ab0f7a88277a4e923e414d41700
-
SHA512
b226a77270a98676479c9e713dee35b5c3e28288d2d1e316dec7888d557579d9233808321e873d80b4fdb52deac19d049de1ee98c22577a40df27b628c0fe875
-
SSDEEP
3072:g+cs070z8krSQCRdEf9J862EnbWjHPVgbZqL8dQgLq2WqxrztDw:pcs07M8krSQC7Ex0HtyqwdQgLbrhw
Malware Config
Extracted
Family
redline
Botnet
pro2
C2
95.217.122.120:8374
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/2180-5-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2180-8-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2180-10-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2180-12-0x0000000004BC0000-0x0000000004C00000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2180-5-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2180-8-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2180-10-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2180-12-0x0000000004BC0000-0x0000000004C00000-memory.dmp family_sectoprat behavioral1/memory/2180-14-0x0000000004BC0000-0x0000000004C00000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3060 set thread context of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3060 184d122b490b7ddd40bb242632966c12.exe Token: SeDebugPrivilege 2180 184d122b490b7ddd40bb242632966c12.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28 PID 3060 wrote to memory of 2180 3060 184d122b490b7ddd40bb242632966c12.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe"C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exeC:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-