Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 23:13

General

  • Target

    18851ac1b5161ebdb1b2cf9a9e69ffaa.exe

  • Size

    289KB

  • MD5

    18851ac1b5161ebdb1b2cf9a9e69ffaa

  • SHA1

    7e1ad712092fa0244618d63cbc40ee0a905310bd

  • SHA256

    2cb5d586b1e5511df8134203c1533d3d49107f53c84156cb3f0083c9d75dd0b0

  • SHA512

    eb3d79b17da3109d199d34ff4abe914551305e481e75b38f3fa9d87e67451898dea1e048655f6d7bc7522d2392fbcc145221128a9c2e183a296ed965f64f2436

  • SSDEEP

    3072:2xmocnUDJX69gbucyzd8SnvmMWmku5+GwZWtFchWdwL4Rzql:pnUF6yZy+Ygu+hItFA4Ru

Malware Config

Extracted

Family

redline

Botnet

NetFramework

C2

yonicathal.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18851ac1b5161ebdb1b2cf9a9e69ffaa.exe
    "C:\Users\Admin\AppData\Local\Temp\18851ac1b5161ebdb1b2cf9a9e69ffaa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2288

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2288-0-0x0000000000AF0000-0x0000000000B3E000-memory.dmp

          Filesize

          312KB

        • memory/2288-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

          Filesize

          6.9MB

        • memory/2288-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

          Filesize

          256KB

        • memory/2288-3-0x0000000074690000-0x0000000074D7E000-memory.dmp

          Filesize

          6.9MB